Understanding Risk Assessments
A risk assessment, also referred to as a risk analysis, is a process used to identify and evaluate risks. Risks are then quantified based on their importance or impact severity. These risks are then prioritized.
Risk assessments are a major part of an overall risk management program. They help identify which risks are most important. A major difference between a risk assessment and a risk management program is that the risk assessment is created for a moment in time, whereas a risk management program is a continuous process.
A risk assessment helps identify which safeguards to implement. Safeguards are also known as controls. They are used to control or reduce risk. A control may reduce a vulnerability or reduce the impact from a threat. Either way, the control reduces the risk.
All companies have a finite amount of money. Although a security expert may continuously want more money spent on security, there is a limit. If too much money is spent on security, the profit and health of the company is affected. How much is too much? Where is the line? A risk assessment can help with determining where to draw the line.
NOTE
Companies must consider profitability and survivability. A risk assessment helps a company maintain a proper balance between these two goals.
For example, a company has collected data through years of research. The same company has data identifying which food will be served in the cafeteria next week. If security funds are being prioritized, which data will get more money? The research data, of course. Identifying the priority in this example is easy, but that’s not always the case.
NOTE
HIPAA governs the control of health-related data. SOX governs the accuracy of financial data.
Now, in this example, the same company holds data covered by both the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX) laws and regulations. Which data is more important? Which data should have a higher priority of protection? What controls should be implemented to protect the data? These questions aren’t so easy to answer. Risk assessments for both the HIPAA and the SOX data could help answer these questions.
Importance of Risk Assessments
Risk assessments are an important part of the risk management process. Without a risk assessment, determining which systems should be protected becomes difficult and how to protect them remains unclear. However, a risk assessment will help to identify the most important systems to protect and provide insight into what controls will provide the most value.
A risk assessment should be completed:
- When evaluating risk—Risk assessments are part of the overall risk management process. They are useful any time risk management is being used, which is especially true if the risks need to be prioritized.
- When evaluating a control—A risk assessment can be used to evaluate the usefulness of a control. Managers can’t approve all controls. A risk assessment helps managers decide which controls to adopt.
- Periodically after a control has been implemented—A risk assessment is a point-in-time document. However, risks don’t stand still. Attackers are constantly upgrading their techniques and tactics. Risk assessments should be scheduled on a regular basis after a control has been implemented. The goal is to determine whether the control is still useful.
Purpose of a Risk Assessment
Risk assessments are important tools to assist management. They help management quantify risks and identify and evaluate the effectiveness of controls. Risk assessments tend to:
- Support decision making—A risk assessment prioritizes risks, which helps decision makers determine which risks should be reduced. As a reminder, not all risks have to be reduced. Risks can be avoided, shared or transferred, mitigated, or accepted. High-priority risks should be mitigated, but lower-priority risks may be accepted.
- Evaluate control effectiveness—Controls are implemented to reduce a risk. A risk assessment provides insight into how effective specific controls will be for specific risks.
Developing a risk assessment involves many steps. It isn’t a task that can be completed in a single sitting, a single day, or even a single week. When done properly, developing a risk assessment involves the input of several key players. Steps involved in developing a risk assessments are as follows:
- Identifying threats and vulnerabilities—Losses occur when a threat exploits a vulnerability. Organizations can reduce the losses if they’ve identified likely threats and vulnerabilities.
- Identifying the likelihood that a risk will occur—This process can be based on historical data or opinions. For example, a risk occurred an average of four times in the past three years. If no steps are taken to reduce the risk, it will probably occur four times next year. If historical data isn’t available, experts can provide opinions on the likelihood of the risk’s occurring.
- Identifying asset values—The value of assets helps determine the impact of a risk. The assets can be hardware, software, or data. Some risks can affect all three.
- Determining the impact of a risk—This process can also be based on historical data or opinions. For example, a risk resulted in losses averaging $20,000 a year in the past three years. If no steps are taken to reduce the risk, it will probably result in a loss of about $20,000 next year. If historical data isn’t available, experts can provide opinions on the impact of the risk’s occurring.
- Determining the usefulness of a safeguard or control—Safeguards or controls reduce the risk or the risk’s impact. Some controls will be more effective than others. A risk assessment helps determine which ones to implement.
A risk assessment identifies threats and vulnerabilities against the current system. It assumes current controls are working as expected. Another way of saying this is that a risk assessment is performed at a moment in time based on current conditions, whereas risk management is a continuous process.