How to Introduce Information Security Risk Assessment Methodology

Today, performing information security risk analysis is an accepted part of managing any business, and it’s something most CEOs and board members take very seriously. They don’t just want to “check a box” for information risk management—they understand that their ability to manage risk adequately is a fundamental part of their long-term success. What’s more, they want to meet the standards of care that similarly-situated, like-minded organizations are meeting.

Whether you’re the CISO, security manager, or anyone else in management, it’s critical that you can clearly communicate how you approach information security throughout your organization. The best way to do this is by creating an IT risk assessment methodology. You can create this methodology through these best practices:

Common Information Security Risk Assessment Methodology

Threats, vulnerabilities, consequences, and likelihood make up the essential pieces you need to review as part of your IT security risk methodology.

• Threats: Threats can be posed to your organization by a variety of bad actors. In a cybersecurity context, bad actors can range from nation states, organized criminal syndicates, random hackers, hacktivists, business competitors, insiders, and more.
• Vulnerabilities: Vulnerabilities on your network can be exploited, which could allow a threat actor the means or capability to achieve whatever bad thing they have in mind. There are many different kinds of possible vulnerabilities, including:
  • Software vulnerabilities.
  • Hardware vulnerabilities.
  • Vulnerabilities in the digital supply chain.
  • Weaknesses in your hiring, HR, or onboarding process.
  • Weaknesses in your training methodology, and more.
• Consequences: The list of consequences your organization could face without the proper information security risk assessment methodology in place can range from small annoyances to potentially catastrophic events. You’ll want to consider the following:
  • How do I value the data, systems, or assets that I own?
  • What proprietary information about or from my company could be stolen or compromised (like trade secrets, intellectual property, loss of network uptime, etc.)?
  • What are the most serious consequences that can arise from a cybersecurity incident?
• Likelihood: What is the chance of a security incident happening in your organization? This is the final (and tricky) piece of the information security risk assessment methodology to understand. You may have to examine if you’re in an industry that is particularly targeted or if the value of your data has particular significance to a group of bad actors.

Qualitative & Quantitative Approaches To Information Security Risk Analysis

If you’re a practitioner in a company and need to create this methodology, then you need to know what the inputs are and where you get your data from. There are two primary methods of doing risk assessments: quantitative and qualitative.

• Quantitative approach: There are many ways to assess risk quantitatively. You could:
  • Calculate the number of software vulnerabilities you have.
  • Calculate the number of critical third party vendors who have access to your data.
  • Calculate the time it takes you to identify remediate issues on your network.
• Qualitative approach: While quantitative risk assessments are important, you can’t always put a hard number on loss. For example, you may know that there are bad actors targeting your industries, but you don’t necessarily know who is targeting you and how much risk they hold.

In Summary

Examining threats, vulnerabilities, consequences, and likelihood—the essential pieces of your IT security risk methodology—and looking at both qualitative and quantitative approaches to risk assessments are critical to your overall cybersecurity strategy.

Doing so will not only help you better articulate to your organization what you’re currently doing, but it will also help you realize what you aren’t (and should be) doing to reduce information security risk.