logo

Risk Analysis Example: How to Evaluate Risks

Organizations are struggling with risks on multiple fronts, including cybersecurity, liability, investment and more. Risk analysis, or risk assessment, is the first step in the risk management process. IT risk analysis focuses on the risks that both internal and external threats pose to the availability, confidentiality, and integrity of your data. During risk analysis, a company identifies risks and the level of consequences, such as potential losses to the business, if an incident happens.

The risk analysis process involves defining the assets (IT systems and data) at risk, the threats facing each asset, how critical each threat is and how vulnerable the system is to that threat. It is wise to take a structured and project-based approach to risk analysis, such as those offered in NIST SP 800-30 or ISO/IEC 27005:2018 and 31010:2019.

Risk analysis is important for multiple reasons. IT professionals who are responsible for mitigating risks in the infrastructure often  have difficulty deciding which risks need to be resolved as soon as possible and which can be addressed later; risk analysis helps them prioritize properly. In addition, many regulatory and compliance requirements include security risk assessment as a mandatory component.

In this article, we will look at a risk analysis example and describe the key components of the IT risk analysis process.

Risk Analysis Example

The following sections lay out the key components of a risk analysis document.

Introduction

This part explains why and how the assessment process has been handled. It includes a description of systems reviewed and specifies the assignment of responsibilities required for providing and gathering the information and analyzing it.

Purpose

In this section, you define the purpose of a detailed assessment of an IT system. Here’s an example:

According to the annual enterprise risk assessment, <system name> was identified as a potential high-risk system. The purpose of the risk assessment is to identify the threats and vulnerabilities related to < system name > and identify plans to mitigate those risks.

Scope

In this section, you define the scope of the IT system assessment. Describe the system components, users and other system details that are to be considered in the risk assessment.

The scope of this risk assessment is to assess the use of resources and controls (implemented or planned) to eliminate and/or manage vulnerabilities exploitable by threats internal and external to <system name>.

System Description

List the systems, hardware, software, interfaces, or data that are examined and which of them are out of assessment scope. This is necessary to further analyze system boundaries, functions, system and data criticality and sensitivity. Here is an example:

<system name> consists of <components, interfaces> that process <sensitive / critical / regulated> data.  <system name> is located < details on physical environment>. The system provides <core functions>.

Participants

This section includes a list of participants’ names and their roles. It should include the owners of assets, IT and security teams, and the risk assessment team.

Assessment Approach

This sections explains all methodology and techniques used for risk assessment. For example:

Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and impact to the company’s mission.

The data collection phase includes identifying and interviewing key personnel in the organization and conducting document reviews. Interviews will focus on the operating environment. Document reviews provide the risk assessment team with a basis for evaluating compliance with policies and procedures.

Risk Identification and Assessment

Here begins the core part of the information security risk assessment, where you compile the results of your assessment fieldwork.

Data Inventory

Identify and define all valuable assets in scope: servers, critical data, regulated data or other data whose exposure would have a major impact on business operations. For example:

Type of dataDescriptionLevel of sensitivity (High, Moderate, Low)
Personally identifiable information
  • Name
  • Address
  • Social Security number
  • Credit card number
High
Financial information
  • Credit card number
  • Verification code
  • Expiry date
  • Authorization reference
  • Transaction reference
High

System Users

Describe who is using the systems, with details on user location and level of access. You can use the example below:

System name User CategoryAccess Level (Read, Write, Full)Number of usersHome OrganizationGeographic Location
<Name of business application>Regular userRead/Write10ABC GroupAtlanta

Threat Identification

Develop a catalogue of threat sources. Briefly describe risks that could negatively affect the organization’s operations, from security breaches and technical missteps to human errors and infrastructure failures:

Threat sourceThreat action
Cyber criminal
  • Web defacement
  • Social engineering
  • System intrusions (break-ins)
  • Identity theft
Malicious insider
  • Browsing of personally identifiable information
  • Unauthorized system access
  • Accidental or ill-advised actions taken by employees that result in unintended physical damage, system disruption or exposure

Employees

 

  • Illness, death, injury or other loss of a key individual

Reputation

 

  • Loss of confidence from employees
  • Damage to the reputation of the company
Organizational (planning, schedule, estimation, controlling, communication, logistics, resources and budget)
  • Improper worker termination and reassignment actions

 

Legal and administrative actions

 

  • Regulatory penalties
  • Criminal and civil proceeding
Technical
  • Malicious code (e.g., virus)
  • System bugs
  • Failure of a computer, device, application, or protective technology or control that disrupts or harms operations or exposes the system to harm
Environmental
  • Natural or man-made disasters

 

Vulnerability Identification

Assess which vulnerabilities and weaknesses could allow threats to breach your security. Here’s an example:

VulnerabilityDescription
Poor password strengthPasswords used are weak. Attackers could guess the password of a user to gain access to the system.
Lack of disaster recoveryThere are no procedures to ensure ongoing operation of the system in the event of a significant business interruption or disaster.

Risk Determination

Here, you assess the probability that threats and vulnerabilities will cause damage and the extent of those consequences.

Risk Probability Determination

During this step, focus on assessing risk probability — the chance that a risk will occur.

Level

Probability Definition

 

Example
HighThe threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.Unauthorized malicious disclosure, modification, or destruction of information
ModerateThe threat source is motivated or capable, but controls are in place that may impede successful exercise of the vulnerability.

Unintentional errors and omissions

 

Low

The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

 

IT disruptions due to natural or man-made disasters

Impact Analysis

Perform risk impact analysis to understand the consequences to the business if an incident happens. Risk analysis can include qualitative risk assessments to identify risks that pose the most danger, such as data loss, system downtime and legal consequences. Quantitative risk assessment is optional and is used to measure the impact in financial terms.

Incident ConsequenceImpact
Unauthorized disclosure of sensitive information

The loss of confidentiality with major damage to organizational assets.

 

The incident may result in the costly loss of major tangible assets or resources, and may significantly violate, harm or impede the organization’s mission, reputation or interests.

High
IT disruptions due to unauthorized changes to the system

The loss of availability with a serious adverse effect on organizational operations.

 

The organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced.

Medium
Non-sensitive data is lost by unauthorized changes to the data or system

The loss of integrity with a limited effect on organizational operations assets, or individuals.

 

The organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced.

Low

Risk Level Evaluation

During this step, the results of the risk analysis are compared to the risk evaluation criteria. The results are used to prioritize risks according to the level of risk.

Level of Impact

 

Risk Level Definition

 

HighThere is a strong need for corrective measures. The system may continue to operate, but a corrective action plan must be put in place as soon as possible.
ModerateCorrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
LowThe system’s owner must determine whether corrective actions are still required or decide to accept the risk.

Risk Assessment Results

List the risks in the Risk Assessment Results table. The report should describe the threats and vulnerabilities, measure the risk, and provide recommendations for control implementation.

Threat VulnerabilitiesMitigationLikelihoodImpactRisk
HurricanePower outageInstall backup generatorsModerateLowLow
Lack of disaster recovery planDisaster recoveryDevelop and test a disaster recovery planModerateHighModerate
Unauthorized users can access the server and browse sensitive company filesOpen access to sensitive contentPerform system security monitoring and testing to ensure adequate security is provided for <server name>.ModerateHighModerate

Conclusion

Risk analysis enables you to know which risks are your top priority. By continuously reviewing the key areas, such as permissions, policy, data and users, you can determine which threats post the highest risk to your IT ecosystem and adjust the necessary controls to improve security and compliance.

Product Evangelist at Netwrix Corporation, writer, and presenter. Ryan specializes in evangelizing cybersecurity and promoting the importance of visibility into IT changes and data access. As an author, Ryan focuses on IT security trends, surveys, and industry insights.
Improve your IT security posture by reducing your IT risks