If you're responsible for the overall security of your company, in any way, you need to be familiar with the basics of Risk Assessments. How do we eat an elephant? One bite at a time. Let's look at the basics of how Risk Assessments are conducted β and let's stay away from those poor elephants.
You may not be the one rolling up your sleeves conducting the assessment, but you may be responsible for steering the company around any determined risks. You may be asking yourself "How in the hell would someone conduct a risk assessment? I don't know where to start and the Google results are confusing me." Don't panic.
The four basic steps of Risk Assessment are:
- Step 1 β Risk Identification
- Step 2 β Risk Analysis
- Step 3 β Risk Evaluation
- Step 4 β Risk Treatment
1. Risk Identification
The first step in your assessment is to identify the risks. This phase is looking at all assets (systems, apps, information/data) that need protection and determining the vulnerabilities and/or threats. This includes determining the value of those assets as well.
Basically β what are our assets and what vulnerabilities or threats do we have? Let's write those down and determine where to go from here.
In this example, I keep getting hurt doing yard work. I've determined the places I get hurt are:
- A) Scrapes and bruises on my hands.
- B) Sneezing from allergies.
- C) Blunt force trauma to my head from rakes in the yard. I keep stepping on rakes which smack my head like a cartoon character.
2. Risk Analysis
The second step is analyzing your risk. This should always begin with a vulnerability assessment and a threat analysis. We need to determine the likelihood of the threats and vulnerabilities found in step one and rate them.
We may determine something has a low chance of actually happening, like a fire starting at Sea World. (See IT Crowd Season 4, Episode 4 for more on that.) We may determine something is a high vulnerability β like a laptop that's not encrypted β but a low probability of anything happening because it's locked up in a safe inside Fort Knox.
In this example, I've determined:
- A) Small risk. This rarely happens and isn't a big deal.
- B) Medium risk. This happens a lot, but isn't too particularly harmful overall.
- C) Critical risk. This hurts a lot and happens a lot. This is also a highly sensitive area we need to protect β my noggin β so let's rate this as critical.
"For a detailed look, there can be qualitative and quantitative risk calculations β such as the ALE=SLEΓARO and SLE=AVΓEF formulas β but for now, we'll stick to the basics."
3. Risk Evaluation
The third step is evaluating what to do with your risk. We need to create our risk profile or our risk tolerance and determine the best course of action for each risk. Your options are:
- Risk Avoidance β avoid the risk altogether by not doing what could cause it.
- Risk Mitigation β take actions or steps to reduce or fix it.
- Risk Transfer β transfer the risk to someone else, like a third party or cybersecurity insurance.
- Risk Acceptance β accept the risk and roll the dice.
In this example: A) Risk Mitigation β wear gardening gloves. B) Risk Mitigation β take allergy medicine. C) Risk Mitigation β move rakes out of the yard.
Let's go over example C in a little more detail since it's a critical category:
- Not Risk Avoidance β I really need to do this yard work and my wife would be mad if I let the yard go.
- Not Risk Transfer β I could tell my wife she could do it, but then I'd be in the dog house. I could hire a landscaper, but I'm cheap and that wouldn't meet my budget.
- Not Risk Acceptance β I do not like getting hit in the head over and over. It hurts! I refuse to just accept this.
- Risk Mitigation it is β Find all the rakes laying in the yard and put them in a specific place. Create a rake policy: any time I use the rake, I put it back. That way no rakes are left in the yard to forget about.
Scenario A could actually be Risk Acceptance β it rarely happens, I could just accept the risk and stop being a wuss. But wearing gardening gloves is so easy, mitigation is the more reasonable option. You may find certain vulnerabilities are so small you just accept them. You may also find certain risks are better to transfer β buy extra cybersecurity insurance β instead of taking costly measures to mitigate them.
4. Risk Treatment
The fourth and final step is Risk Treatment. This stage is pulling the trigger and doing what you determined in your previous step.
In this example: A) Put the gloves on. B) Take the allergy medicine. C) Go out in the yard and put the rakes up now β and during yard work, follow the rake policy we've set.
These four steps are the basics of doing Risk Assessments. Using this information will make looking at assessments and security reports way easier to digest, now that you understand where they're coming from. In a future post, I'll go more into detail on quantitative risk calculations, reporting, and risk frameworks. For now, good luck β and let's continue to make our world a little bit more secure.