A risk assessment, a tool for risk management, identifies vulnerabilities and threats and assesses the possible impacts to determine where to implement security controls. After parts of a risk assessment are carried out, the results are analyzed. Risk analysis is a detailed examination of the components of risk used to ensure that security is cost-effective, relevant, timely, and responsive to threats. It is easy to apply for too much protection, not enough security, or the wrong security controls and spends too much money without attaining the necessary objectives. Risk analysis helps organizations prioritize their risks and shows management the amount of resources that should be applied to protect against them sensibly. Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential loss cost. A control, in most cases, should not be implemented unless the annualized cost of loss exceeds the annualized cost of the control itself. Before an assessment is started, the organization must carry out project sizing to understand what assets and threats should be evaluated. Most assessments are focused on physical security, technology security, or personnel security.
One of the risk assessment team’s tasks is to create a report that details the asset valuations. Senior management should review and accept the list and use these values to determine the scope of the risk management project. If management determines that some assets are not necessary at this early stage, the risk assessment team should not spend additional time or resources evaluating those assets.
Management should outline the scope of the assessment, which most likely will be dictated by organizational compliance requirements as well as budgetary constraints. A risk assessment helps integrate the security program objectives with the organization’s business objectives and requirements. The more the business and security objectives are aligned, the more successful both will be.
A risk assessment must be supported and directed by senior management if successful. Management must define the purpose and scope of the effort, appoint a team to carry out the assessment and allocate the necessary time and funds to conduct it. It is vital for senior management to review the risk assessment outcome and act on its findings.
Risk analysis has four main goals:
- Identify assets and their value to the organization.
- Determine the likelihood that a threat exploits a vulnerability.
- Determine the business impact of these potential threats.
- Provide an economic balance between the impact of the threat and the cost of the countermeasure.
