Organizations are struggling with risks on multiple fronts, including cybersecurity, liability, investment and more. Risk analysis, or risk assessment, is the first step in the risk management process. IT risk analysis focuses on the risks that both internal and external threats pose to the availability, confidentiality, and integrity of your data. During risk analysis, a company identifies risks and the level of consequences, such as potential losses to the business, if an incident happens.
The risk analysis process involves defining the assets (IT systems and data) at risk, the threats facing each asset, how critical each threat is and how vulnerable the system is to that threat. It is wise to take a structured and project-based approach to risk analysis, such as those offered in NIST SP 800-30 or ISO/IEC 27005:2018 and 31010:2019.
Risk analysis is important for multiple reasons. IT professionals who are responsible for mitigating risks in the infrastructure often have difficulty deciding which risks need to be resolved as soon as possible and which can be addressed later; risk analysis helps them prioritize properly. In addition, many regulatory and compliance requirements include security risk assessment as a mandatory component.
In this article, we will look at a risk analysis example and describe the key components of the IT risk analysis process.
Risk Analysis Example
The following sections lay out the key components of a risk analysis document.
Introduction
This part explains why and how the assessment process has been handled. It includes a description of systems reviewed and specifies the assignment of responsibilities required for providing and gathering the information and analyzing it.
Purpose
In this section, you define the purpose of a detailed assessment of an IT system. Here’s an example:
According to the annual enterprise risk assessment, <system name> was identified as a potential high-risk system. The purpose of the risk assessment is to identify the threats and vulnerabilities related to < system name > and identify plans to mitigate those risks.
Scope
In this section, you define the scope of the IT system assessment. Describe the system components, users and other system details that are to be considered in the risk assessment.
The scope of this risk assessment is to assess the use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to <system name>.
System Description
List the systems, hardware, software, interfaces, or data that are examined and which of them are out of assessment scope. This is necessary to further analyze system boundaries, functions, system and data criticality and sensitivity. Here is an example:
<system name> consists of <components, interfaces> that process <sensitive / critical / regulated> data. <system name> is located < details on physical environment>. The system provides <core functions>.
Participants
This section includes a list of participants’ names and their roles. It should include the owners of assets, IT and security teams, and the risk assessment team.
Assessment Approach
This sections explains all methodology and techniques used for risk assessment. For example:
Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and impact to the company’s mission.
The data collection phase includes identifying and interviewing key personnel in the organization and conducting document reviews. Interviews will focus on the operating environment. Document reviews provide the risk assessment team with a basis for evaluating compliance with policies and procedures.
Risk Identification and Assessment
Here begins the core part of the information security risk assessment, where you compile the results of your assessment fieldwork.
Data Inventory
Identify and define all valuable assets in scope: servers, critical data, regulated data or other data whose exposure would have a major impact on business operations. For example:
Type of data | Description | Level of sensitivity (High, Moderate, Low) |
Personally identifiable information |
|
High |
Financial information |
|
High |
System Users
Describe who is using the systems, with details on user location and level of access. You can use the example below:
System name | User Category | Access Level (Read, Write, Full) | Number of users | Home Organization | Geographic Location |
<Name of business application> | Regular user | Read/Write | 10 | ABC Group | Atlanta |
Threat Identification
Develop a catalogue of threat sources. Briefly describe risks that could negatively affect the organization’s operations, from security breaches and technical missteps to human errors and infrastructure failures:
Threat source | Threat action |
Cyber criminal |
|
Malicious insider |
|
Employees
|
|
Reputation
|
|
Organizational (planning, schedule, estimation, controlling, communication, logistics, resources and budget) |
|
Legal and administrative actions
|
|
Technical |
|
Environmental |
|
Vulnerability Identification
Assess which vulnerabilities and weaknesses could allow threats to breach your security. Here’s an example:
Vulnerability | Description |
Poor password strength | Passwords used are weak. Attackers could guess the password of a user to gain access to the system. |
Lack of disaster recovery | There are no procedures to ensure ongoing operation of the system in the event of a significant business interruption or disaster. |
Risk Determination
Here, you assess the probability that threats and vulnerabilities will cause damage and the extent of those consequences.
Risk Probability Determination
During this step, focus on assessing risk probability — the chance that a risk will occur.
Level | Probability Definition
|
Example |
High | The threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective. | Unauthorized malicious disclosure, modification, or destruction of information |
Moderate | The threat source is motivated or capable, but controls are in place that may impede successful exercise of the vulnerability. | Unintentional errors and omissions
|
Low | The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.
|
IT disruptions due to natural or man-made disasters |
Impact Analysis
Perform risk impact analysis to understand the consequences to the business if an incident happens. Risk analysis can include qualitative risk assessments to identify risks that pose the most danger, such as data loss, system downtime and legal consequences. Quantitative risk assessment is optional and is used to measure the impact in financial terms.
Incident | Consequence | Impact |
Unauthorized disclosure of sensitive information | The loss of confidentiality with major damage to organizational assets.
The incident may result in the costly loss of major tangible assets or resources, and may significantly violate, harm or impede the organization’s mission, reputation or interests. |
High |
IT disruptions due to unauthorized changes to the system | The loss of availability with a serious adverse effect on organizational operations.
The organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced. |
Medium |
Non-sensitive data is lost by unauthorized changes to the data or system | The loss of integrity with a limited effect on organizational operations assets, or individuals.
The organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced. |
Low |
Risk Level Evaluation
During this step, the results of the risk analysis are compared to the risk evaluation criteria. The results are used to prioritize risks according to the level of risk.
Level of Impact
|
Risk Level Definition
|
High | There is a strong need for corrective measures. The system may continue to operate, but a corrective action plan must be put in place as soon as possible. |
Moderate | Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. |
Low | The system’s owner must determine whether corrective actions are still required or decide to accept the risk. |
Risk Assessment Results
List the risks in the Risk Assessment Results table. The report should describe the threats and vulnerabilities, measure the risk, and provide recommendations for control implementation.
Threat | Vulnerabilities | Mitigation | Likelihood | Impact | Risk |
Hurricane | Power outage | Install backup generators | Moderate | Low | Low |
Lack of disaster recovery plan | Disaster recovery | Develop and test a disaster recovery plan | Moderate | High | Moderate |
Unauthorized users can access the server and browse sensitive company files | Open access to sensitive content | Perform system security monitoring and testing to ensure adequate security is provided for <server name>. | Moderate | High | Moderate |
Conclusion
Risk analysis enables you to know which risks are your top priority. By continuously reviewing the key areas, such as permissions, policy, data and users, you can determine which threats post the highest risk to your IT ecosystem and adjust the necessary controls to improve security and compliance.