Formulating an IT security risk assessment methodology is a key part of building a robust information security risk management program.
The two most popular types of risk assessment methodologies used by assessors are:
- Qualitative risk analysis: A scenario-based methodology that uses different threat-vulnerability scenarios to try and answer "what if" type questions. These assessments are subjective in nature.
- Quantitative risk analysis: Assigns a numeric value to different risk assessment components. Accessors aim to quantify all elements (asset value, threat frequency, safeguard effectiveness, uncertainty and probability) to answer questions like "How much would a data breach cost us?" and "How long is an acceptable amount of time offline before we need to initiate our incident response plan?"
What is a Risk Assessment?
A risk assessment is a process that aims to identify cybersecurity risks, their sources and how to mitigate them to an acceptable level of risk.
The process generally starts with a series of questions to establish an inventory of information assets, procedures, processes and personnel.
This allows your organization and its accessors to understand what your key information assets are and which pose the highest risk. Risk is generally calculated as the impact of an event multiplied by the frequency or probability of the event.
Regardless of whether your organization uses a qualitative or quantitative risk assessment process, there is some level of decision making required. This generally comes in the form of a cost/benefit analysis to determine which risks are acceptable and which must be mitigated.
A robust risk assessment process will focus on all aspects of information security including physical and environment, administrative and management, as well as technical controls.
This is a laborious process for assessors that requires strong quality assurance and project management skills, and becomes harder as your organization grows. Driven by the increasing pace of information systems, processes and personnel change, as well as the introduction of new cyber threats, vulnerabilities and third-party vendors.
When Should Risk Assessments Be Conducted?
Risk assessments must be conducted across the lifecycle of an information assets, as business needs change and new attack vectors emerge.
By employing a continuous risk assessment approach, organizations can identify emerging cybersecurity risks and controls that need to be put in place to address them.
As with any other process, security needs to be continually monitor, improved and treated as a part of overall product/service quality.
Consider conducting a risk assessment whenever security gaps or risk exposures are found, as well as when you are deciding to implement or drop a certain control or third-party vendor.
As with any information risk management process, this is largely based on the CIA triad (confidentiality, integrity and availability) and your business needs.
To streamline the risk assessment process, organizations should have internal security policies and standards that mandate security requirements, processes and procedures across the organization and its vendors, e.g. only using third-party vendors with SOC 2 assurance and a security rating above 850.
Why is a Risk Assessment Process Important?
Risk assessments identify key information assets, what their value is (qualitative or quantitative) to the organization, as well as its customers and partners.
With this information, management is better able to understand its risk profile and whether existing security controls are adequate.
This is becoming increasingly important due to the rise of outsourcing and a growing reliance on vendors to process, store and transmit sensitive data, as well as to deliver goods and services to customers.
Pair this with growing regulation focused on the protection and disclosure of personally identifiable information (PII) and protected health information (PHI) and the need for clear risk assessment methodology has never been higher.
Understand every piece of technology, vendor and employee is a potential attack vector, whether from social engineering attacks like phishing and spear phishing or technology-based attacks like the exploits of CVE-listed vulnerabilities, man-in-the-middle attacks, ransomware and other types of malware.
To minimize potential loss and remain operational, every level of your organization need to understand security requirements and a robust risk assessment methodology can do a lot to mitigate identified risks.
As a result of risk assessments, staff become more aware of cyber threats and learn to avoid bad practices that could be detrimental to the information security, data security and network security, raising security awareness and helping incident response planning.
Is a Quantitative or Qualitative Risk Assessment Methodology Better?
There are pros and cons to quantitative and qualitative risk assessment methodologies. Best-in-class organization employ a hybrid approach that takes into account quantitative and qualitative inputs.
Risk management is focused on making risk-adjusted decisions to enable your organization to operate efficiently, while taking on as much or as little risk as you deem acceptable.
And the only way to do that is to understand what risks you have, what you are willing to accept and which you wish to transfer, mitigate or avoid. For example, you may choose to ignore a high risk with extremely low probability, e.g. Amazon discontinuing Amazon Web Services, because you decide it's not cost effective to mitigate it.
In contrast, a different organization with a lower risk tolerance may decide to straddle two cloud service providers to mitigate the risk.
Regardless of your risk profile, there is always residual risk as it's just not cost effective to mitigate everything.
- Qualitative analysis is a simpler assessment approach, there are aren't any complex calculations
- Determining the monetary value of assets isn't always necessary or possible to value intangible assets like reputation and customer goodwill
- It is not necessary to quantify threat frequency
- Easier to involve non-security and non-technical staff
- Subjective in nature
- Results and quality of the assessment depend on expertise and quality of risk management team
- Limited effort to understand monetary value of assets
- No cost/benefit analysis for risk mitigation techniques e.g. cost of implementing security controls and security policies
- Quantitative analysis is based on objective processes and metrics, removing subjectivity
- Assets value and risk mitigation options are well understood
- Cost/benefit assessments are heavily employed, helping senior management mitigate high-risk activities first
- Results can be expressed in management-specific language (e.g. monetary value and probability)
- Quantitative approaches can be complex and time-consuming
- Historically only works well with a recognized automated security management tool and associated knowledge base
- Requires preliminary work to collect and quantify different risk information
- Generally not focused on the personnel level, security awareness training may be overlooked
What are the Obstacles to Effective Risk Management?
A common complaint from security management teams is that they do not have the time to do in-depth risk assessments.
Even for those that do, they often struggle with where to start. This is because there isn't one industry standard that everyone accepts as best practice.
Moreover, most guidelines like ISO 27001 and NIST Security Self Assessment Guide for Information Technology Systems, SP 800-26 are general in nature and don't provide enough details about how to conduct a proper risk assessment.
This has led to many organizations outsourcing the risk management process to external vendors who have expertise in conducting proper risk assessments. They can also help your organization create effective policies like a vendor management policy and third-party risk management framework.
However, as organizations grow in size and complexity and the number of third-party vendors grow, it becomes expensive to outsource. You also don't want your organization to become reliant on an external vendor to make important business and risk mitigation decisions.
This is why more and more organizations are insourcing their risk management and vendor risk management programs.
Cyber security ratings tools can help scale your risk management team by automatically monitoring and assessing first, third and fourth-party security posture. This allows your risk management team to focus on the most high risk, high impact fixes first and exponentially increases the number of third-party vendors one person can manage.
If your organization lacks risk management expertise or just wants to scale their risk management team, consider investing in a tool that can automate vendor risk management, provide vendor risk assessment questionnaire templates and monitor for first-party risk and leaked credentials.