How to Perform IT Risk Assessment

Cybersecurity is all about understanding, managing, controlling and mitigating risk to your organization’s critical assets. Whether you like it or not, if you work in security, you are in the risk management business.

Cybersecurity risk assessment is the process of identifying and evaluating risks for assets that could be affected by cyberattacks. Basically, you identify both internal and external threats; evaluate their potential impact on things like data availability, confidentiality and integrity; and estimate the costs of suffering a cybersecurity incident. With this information, you can tailor your cybersecurity and data protection controls to match your organization’s actual level of risk tolerance.

To get started with IT security risk assessment, you need to answer three important questions:

  • What are your organization’s critical information technology assets — that is, the data whose loss or exposure would have a major impact on your business operations?
  • What are the key business processes that utilize or require this information?
  • What threats could affect the ability of those business functions to operate?

Once you know what you need to protect, you can begin developing strategies. However, before you spend a dollar of your budget or an hour of your time implementing a solution to reduce risk, be sure to consider which risk you are addressing, how high its priority is, and whether you are approaching it in the most cost-effective way.

The Risk Equation

We can understand risk using the following equation

Risk = Threat x Vulnerability x Asset

Although risk is represented here as a mathematical formula, it is not about numbers; it is a logical construct. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution), and the asset is critical, your risk is high. However, if you have good perimeter defenses and your vulnerability is low, and even though the asset is still critical, your risk will be medium.

This isn’t strictly a mathematical formula; it’s a model for understanding the relationships among the components that feed into determining risk:

  • Threat is short for “threat frequency,” or how often an adverse event is expected to occur. For example, the threat of being struck by lightning in a given year is about 1 in 1,000,000.
  • Vulnerability is shorthand for “the likelihood that a vulnerability will be exploited and a threat will succeed against an organization’s defenses.” What is the security environment in the organization? How quickly can disaster be mitigated if a breach does occur? How many employees are in the organization and what is the probability of any given one becoming an internal threat to security control?
  • Cost is a measure of the total financial impact of a security incident. It includes hard costs, like damage to hardware, and soft costs, such as lost business and consumer confidence. Other costs can include:
    • Data loss — Theft of trade secrets could cause you to lose business to your competitors. Theft of customer information could result in loss of trust and customer attrition.
    • System or application downtime — If a system fails to perform its primary function, customers may be unable to place orders, employees may be unable to do their jobs or communicate, and so on.
    • Legal consequences — If somebody steals data from one of your databases, even if that data is not particularly valuable, you can incur fines and other legal costs because you failed to comply with the data protection security requirements of HIPAA, PCI DSS or other compliance

The risk assessment factors in the relationship between the three elements. For example, suppose you want to assess the risk associated with the threat of hackers compromising a particular system. If your network is very vulnerable (perhaps because you have no firewall and no antivirus solution) and the asset is critical, your risk is high. However, if you have robust perimeter defenses that make your vulnerability low, your risk will be medium, even though the asset is still critical.

Note that all three elements need to be present in order for there to be risk  — since anything times zero equals zero, if one of the elements in the equation is not present, then there is no risk, even if the other two elements are high or critical.


Now let’s walk through the IT risk assessment procedure.

Step #1: Identify and Prioritize Assets

Assets include servers, client contact information, sensitive partner documents, trade secrets and so on. Remember, what you as a technician think is valuable might not be what is actually most valuable for the business. Therefore, you need to work with business users and management to create a list of all valuable assets. For each asset, gather the following information, as applicable:

  • Software
  • Hardware
  • Data
  • Interfaces
  • Users
  • Support personnel
  • Mission or purpose
  • Criticality
  • Functional requirements
  • IT security policies
  • IT security architecture
  • Network topology
  • Information storage protection
  • Information flow
  • Technical security controls
  • Physical security environment
  • Environmental security

Because most organizations have a limited budget for risk assessment, you will likely have to limit the scope of the remaining steps to mission-critical assets. Accordingly, you need to define a standard for determining the importance of each asset. Common criteria include the asset’s monetary value, legal standing and importance to the organization. Once the standard has been approved by management and formally incorporated into the risk assessment security policy, use it to classify each asset as critical, major or minor.

Step #2: Identify Threats

A threat is anything that could cause harm to your organization. While hackers and malware probably leap to mind, there are many other types of threats:

  • Natural disasters. Floods, hurricanes, earthquakes, fire and other natural disasters can destroy not just data, but servers and appliances as well. When deciding where to house your servers, think about the chances of different types of natural disasters. For instance, your area might have a high risk of floods but a low likelihood of tornadoes.
  • Hardware failure. The likelihood of hardware failure depends on the quality and age of the server or other machine. For relatively new, high-quality equipment, the chance of failure is low. But if the equipment is old or from a “no-name” vendor, the chance of failure is much higher.
  • This threat should be on your list, no matter what business you are in. People can accidentally delete important files, click on a malicious link in an email or spill coffee on a piece of equipment that hosts critical systems.
  • Malicious behavior. There are three types of malicious behavior:
    • Interference is when somebody causes damage to your business by deleting data, engineering a distributed denial of service (DDOS) against your website, physically stealing a computer or server, and so on.
    • Interception is theft of your data.
    • Impersonation is misuse of someone else’s credentials, which are often acquired through social engineering attacks or brute-force attacks, or purchased on the dark web.

Step #3: Identify Vulnerabilities

A vulnerability is a weakness that could enable a threat to harm your organization. Vulnerabilities can be identified through analysis, audit reports, the NIST vulnerability database, vendor data, information security test and evaluation (ST&E) procedures, penetration testing, and automated vulnerability scanning tools.

Don’t limit your thinking to software vulnerabilities; there are also physical and human vulnerabilities. For example, having your server room in the basement increases your vulnerability to the threat of flooding, and failure to educate your employees about the danger of clicking on email links increases your vulnerability to the threat of malware.

Step #4: Analyze Controls

Analyze the controls that are either in place or in the planning stage to minimize or eliminate the probability that a threat will exploit a vulnerability. Technical controls include encryption, intrusion detection mechanisms, and identification and authentication solutions. Nontechnical controls include security policies, administrative actions, and physical and environmental mechanisms.

Both technical and nontechnical controls can further be classified as preventive or detective. As the name implies, preventive controls attempt to anticipate and stop attacks; examples include encryption and authentication devices. Detective controls are used to discover threats that have occurred or are in process; they include audit trails and intrusion detection systems.

Step #5: Determine the Likelihood of an Incident

Assess the probability that a vulnerability might actually be exploited, taking into account the type of vulnerability, the capability and motivation of the threat source, and the existence and effectiveness of your controls. Rather than a numerical score, many organizations use the categories high, medium and low to assess the likelihood of an attack or other adverse event.

Step #6: Assess the Impact a Threat Could Have

Analyze the impact that an incident would have on the asset that is lost or damaged, including the following factors:

  • The mission of the asset and any processes that depend upon it
  • The value of the asset to the organization
  • The sensitivity of the asset

To get this information, start with a business impact analysis (BIA) or mission impact analysis report. This document uses either quantitative or qualitative means to determine the impact of harm to the organization’s information assets, such as loss of confidentiality, integrity and availability. The impact on the system can be qualitatively assessed as high, medium or low.

Step #7: Prioritize the Information Security Risks

For each threat/vulnerability pair, determine the level of risk to the IT system, based on the following:

  • The likelihood that the threat will exploit the vulnerability
  • The approximate cost of each of these occurrences
  • The adequacy of the existing or planned information system security controls for eliminating or reducing the risk

A useful tool for estimating risk in this manner is the risk-level matrix. A high likelihood that the threat will occur is given a value of 1.0; a medium likelihood is assigned a value of 0.5; and a low likelihood of occurrence is given a rating of 0.1. Similarly, a high impact level is assigned a value of 100, a medium impact level 50, and a low impact level 10. Risk is calculated by multiplying the threat likelihood value by the impact value, and the risks are categorized as high, medium or low based on the result.

Step #8: Recommend Controls

Using the risk level as a basis, determine the actions needed to mitigate the risk. Here are some general guidelines for each level of risk:

  • High — A plan for corrective measures should be developed as soon as possible.
  • Medium — A plan for corrective measures should be developed within a reasonable period of time.
  • Low — The team must decide whether to accept the risk or implement corrective actions.

As you evaluate controls to mitigate each risk, be sure to consider:

  • Organizational policies
  • Cost-benefit analysis
  • Operational impact
  • Feasibility
  • Applicable regulations
  • The overall effectiveness of the recommended controls
  • Safety and reliability

Step #9: Document the Results

The final step in the risk assessment process is to develop a risk assessment report to support management in making appropriate decisions on budget, policies, procedures and so on. For each threat, the report should describe the corresponding vulnerabilities, the assets at risk, the impact to your IT infrastructure, the likelihood of occurrence and the control recommendations.

The risk assessment report can identify key remediation steps that will reduce multiple risks. For example, ensuring backups are taken regularly and stored offsite will mitigate both the risk of accidental file deletion and the risk from flooding. Each step should detail the associated cost and  the business reasons for making the investment.

As you work through this process, you will get a better idea of how the company and its infrastructure operates and how it can operate better. Then you can create a risk assessment policy that defines what the organization must do periodically (annually in many cases), how risk is to be addressed and mitigated (for example, a minimum acceptable vulnerability window), and how the organization must carry out subsequent enterprise risk assessments for its IT infrastructure components and other assets.

Always keep in mind that the information security risk assessment and enterprise risk management processes are the heart of the cybersecurity. These processes establish the foundation of the entire information security management strategy, providing answers to what threats and vulnerabilities can cause financial harm to the business and how they should be mitigated.


What is a risk assessment?

A cyber security risk assessment is the process of identifying and analyzing information assets, threats, vulnerabilities and incident impact in order to guide security strategy.

What is the first step in performing risk assessment?

The first step in performing risk assessment is to identify and evaluate the information assets across your organization. These include servers, client information, customer data and trade secrets.

What is the final step in the risk assessment process?

The final step in the process is documenting the results to support informed decisions about budgets, policies and procedures. The risk assessment report should describe each threat and its related vulnerabilities and costs. It should also make recommendations for how to mitigate risk.

What is a threat/vulnerability pair?

A threat/vulnerability pair is a specific threat using a particular vulnerability, such as a hacker (threat) exploiting an unpatched system (vulnerability). Not all threats pair with a given vulnerability. For example, the threat of flooding pairs with the vulnerability of a lower-level server room, but not with unpatched systems.

What is a threat action?

A threat action is the consequence of a threat/vulnerability pair — the result of the identified threat leveraging the vulnerability to which it has been matched. For example, if the threat is hacking and the vulnerability is lack of system patching, the threat action might be a hacker exploiting the unpatched system to gain unauthorized access to the system.

How do you conduct risk assessment?

To conduct a cybersecurity risk assessment, you need to identify the elements of the risk equation and then use your knowledge of those elements to determine risk. That means:

  • Inventorying your organization’s information assets
  • Understanding the potential threats to each asset
  • Detailing the vulnerabilities that could allow those threats to damage the asset
  • Assessing the associated costs

Once you collect this data, the next step is to create a cybersecurity risk management plan that details both the risks and strategies for mitigating them.

When should risk assessment be carried out?

Risk assessment should be a recurring event. You should periodically review your risk mitigation strategy as your IT assets change and new threats and vulnerabilities emerge. Transparency is critical to success. All stakeholders in the data security process should have access to information and be able to provide input for the assessment.

What should risk analysis include?

Cyber security risk analysis should include:

  • A determination of the value of information within the organization
  • An identification of threats and vulnerabilities
  • A calculation estimating the impact of leveraged threats
  • Conclusions about risks and ways to mitigate risk
  • Documentation of the assessment process

Who should perform the risk assessment?

If your organization is large enough to have a dedicated IT staff, assign them to develop a thorough understanding of your data infrastructure and work in tandem with team members who know how information flows throughout your organization. If your organization is a small business without its own IT department, you may need to outsource the task to a dedicated risk assessment company.

VP of Product Management at Netwrix. Ilia is responsible for the Netwrix product vision and strategy. He is a recognized expert in information security and an official member of Forbes Technology Council. Ilia has over 15 years of experience in the IT management software market. In the Netwrix blog, Ilia focuses on cybersecurity trends, strategies and risk assessment.