Answering Key Questions About Security Risk Assessments

Learn about the risk assessment and decide which methodology is the most suitable for you…

Information security is a critical part of modern business operations as its objective is to protect information systems and data from unauthorized access, use, disclosure, disruption, modification, or destruction. As the number of digital threats increases, organizations must constantly monitor their security landscape and conduct security risk assessments to maintain an appropriate level of information security. Security risk assessment is critical for safeguarding organizational assets and, therefore, it is actively applied within security management or as part of security frameworks and regulations. General insights into the idea of risk assessment and its main methodologies are outlined below. 

What is a Risk Assessment?

When performing risk assessment, one must understand that it is not a one-time activity that provides permanent information for organizational decision-makers. It is, rather, an ongoing process that organizations employ as part of their risk management strategy.

The NIST 800-30 Special Publication defines risk assessment as a “systematic process that addresses the undesirable adverse impacts to organizational assets, operations, and individuals […] arising from the operation and use of information systems (p.15)”. Risk assessment helps determine risks that are common to the organization’s electronic and physical assets and provides a stable background for mitigating the identified risks. 

Risk assessment is a complex phenomenon that unites several important concepts under its umbrella. The main ones are  “vulnerability”, “threat”, “risk”, “likelihood”, and “impact”. The common definitions for these terms may be also found in NIST SP 800-30 standard and each of them can be adapted within the context of any organization that deals with sensitive information. Thus, as defined in NIST 800-30: 

  • Vulnerability “is flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy (p. 15)”

Organizations may have non-technical vulnerabilities that pertain to ineffective guidelines, procedures, policies, or standards and technical ones that refer to information systems weaknesses. Both areas of vulnerability could potentially result in a security incident.

  • Threat “is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability (p.12).

Organizational information systems and people may be under several types of threat and these are generally grouped in natural, human, and environmental. 

  • Likelihood refers to the probability that a given threat event is capable of exploiting a given vulnerability (or set of vulnerabilities) (p. 21).” 

Depending on the capability of the threat agent and the effectiveness of preventive controls, the likelihood can be described as high, medium, or low. 

  • Impact is the result of a “successful threat exercise of a vulnerability (p. 21)

The impact is determined by the consequences to the organization of a successful threat event.  Just like likelihood, it may be measured as high, medium, or low. 

When the above concepts are defined, understanding of the idea of the security risk assessment becomes more clear. 

  • Risk is “the net mission impact considering (1) the probability that a particular threat will trigger or exploit a particular vulnerability and (2) the resulting impact on the organization if this should occur. 

In other words, risk(s) arise due to unauthorized modification, disclosure, or destruction of information; unintentional errors; IT disruptions; and/or organizational failure to exercise diligence in the implementation and operation of IT systems and business processes. In a context of a particular organization, risk assessment pertains to identifying risks that are specific to its operating environment. The best way to approach the organization’s need for information security is a properly contextualized risk assessment that involves identifying threats, classifying organizational assets, and rating system vulnerabilities. These measures provide key information and guidelines to implement effective controls and avoid security incidents. 

Who Needs a Risk Assessment?

To function within their digital business environments, many organizations require transactions with personally identifiable information (PII) or personal health information (PHI). This sensitive information includes social security numbers, dates of birth, driver’s license numbers, medical histories. To safeguard organizational information systems while conducting transactions with confidential information, organizations must undergo appropriate risk assessment procedures. For instance, the risk assessment is typically required by compliance standards, frameworks, and regulations such as PCI-DSS for payment card security,  ISO 27001 for information security management, HITRUST framework for safeguarding information, HIPAA federal law. It is also a significant part of security audits such as SOC 2 for service organizations. Therefore, risk assessment is not only a measure to secure business operations but also a necessary step to stay compliant with standards, laws, and regulations.  

Why is a Risk Assessment Important?

Advancements in technology and a shifting security landscape expose organizations to greater security risks every day. Risk assessment allows organizations to identify possible “go-wrong” events that could result in malicious acts, operational failures, data breaches, and lead to undesired business consequences. The risk assessment is essential for determining cybersecurity risk levels to which organizations may be exposed. Furthermore, it provides organizations with a great opportunity to undertake adequate actions and resources to treat risks. Finally, it creates a risk awareness culture within the organization and employees understand security risks and how these risks align with business objectives. 

Failure to conduct a risk assessment may result in general non-compliance with standards and rules as well as lead to undesired security incidents. Both conditions significantly damage the organizational reputation and may be costly for businesses. For instance, according to the 2020 OCR Report on HIPAA compliance, failure to conduct an appropriate risk assessment was observed in 86% of covered entities.  Consequently, the possibility of security incidents occurring increased significantly as organizational main vulnerabilities and threats were not assessed. For instance, inappropriate risk assessment has become among the main triggers of the largest health data breach in U.S. history. It occurred when a series of cyberattacks against Anthem Inc. exposed the electronic health information of 79 million people and resulted in a $16 million settlement. This, and many other examples, demonstrate that risk assessment is an important factor in information security management.

What are the Risk Assessment Methodologies?

Identification and evaluation of information security risks is a complicated, multi-dimensional process that involves the analysis of multiple technologies, people, processes, and their interconnections. Furthermore, it must constantly adapt to the new emerging threats as they could introduce new risks to the organization. These factors turn the risk assessment into a rapidly-developing discipline that involves different views and perspectives. Several different risk assessment methodologies exist but to conduct the security assessment properly, each organization must apply the most suitable one. 

In 2006, the European Network and Information Security Agency (ENISA) published a deliverable on risk management and risk assessment. Therein, the ENISA defined 15 specific steps of successful risk management based on several international standards, guidelines, and best practices. The ENISA experts group reviewed 13 different risk assessment methodologies and compared them according to 21 attributes. ISO 27005, NIST SP 800‐30, and OCTAVE were proven to be among the most relevant ones. Based on ENISA’s report, Planet 9 prepared the comparative characteristics of these methodologies.

Comparing ISO 27005, NIST SP 800‐30, and OCTAVE

The above risk assessment methodologies are well recognized and applied by different companies. However, it is important to maintain that neither of them can keep up with permanent changes and shifting the security landscape. So, the best way to minimize the security risks is to ensure a continuous process of detecting and addressing the companies’ vulnerabilities and threats. 

Want to learn more about risk assessments? Read our next article on this topic. 

If you need any help with security risk assessments or other information security and compliance services, we’ll be happy to assist:



Phone:  888-437-3646


Leave a Reply