To perform cybersecurity risk assessment should be a continuous process. But when and how often should it be done?
Perform Cybersecurity Risk Assessment
Ideally, a security risk assessment should be conducted before any new software is installed. This way you can avoid applications with known vulnerabilities, and you will be aware of their risks.
Some companies do this for all new software installations, even if the software is developed internally. It’s also important to conduct a risk assessment after updates/upgrades are made to existing software.
Risk Assessment Process
The cybersecurity risk assessment process can be divided into six steps:
1. Identify Assets At Risk.
Assets are anything that has value to your organization; the more valuable the asset, the more important it is that you protect it.
The first step of a risk assessment is to identify assets at risk. Assets can be anything with value
to your organization, including people, hardware, data, and software.
Assets could be tangible (such as a computer) or intangible (such as intellectual property). Also, assets can be physical or virtual.
Some assets are more important to protect than others. For example, a company’s payroll data is more valuable than a sales report. In this case, the payroll data needs to be protected with stronger security measures than the sales report.
2. Identify Threats Against Assets
Threats include the probability that a threat will exploit an asset and do harm to your business.
To identify the threats against assets we’ll need to know what risks we face and who and what is responsible for them. Once we know our risks we can determine which ones are most significant and how likely they are to occur.
3. Evaluate And Prioritize Risks
Calculate the risk impact (R) and the risk exposure (E).
To evaluate risks you need to know what’s at risk and how likely an incident is to occur. Risk impact (R) is the probability that an incident will occur multiplied by the potential damage of an incident if it does occur.
Risk exposure (E) is the amount of loss that could result from an incident multiplied by the probability that it will occur.
The risk exposure (E) could be a dollar value, a percentage of your workforce, or many records in a database. Risk exposure (E) is the amount of potential loss if a risk happens.
Risk impact (R) is the amount of potential loss if a risk happens, multiplied by the probability that it will happen. To evaluate risks we need to know what’s at risk and how likely an incident is to occur.
Once we know our risks we can determine which ones are most significant and how likely they are to occur.
4. Prioritize Risks
Identify critical areas or assets to be protected and focus on those areas.
Once we evaluate and prioritize risks, we can focus on those areas where we need to spend more time and energy (for example, the most critical assets). It’s also important to identify the root cause of an incident and eliminate it.
If there are too many risks to deal with at once, you can prioritize them.
5. Determine The Level Of Acceptable Risk
Determine how much risk is acceptable based on your company’s mission and vision.
To determine a level of acceptable risk we need to know what’s in it for us in terms of mission and vision, and what we have to lose if an incident occurs. Once we have this information, we can determine how much risk is acceptable based on our company’s mission and vision.
6. Make A Decision
Based on the results of your analysis, determine what actions to take to reduce risks.
Once you have identified the critical areas that need to be protected, make sure those areas are well protected. If you can’t protect those areas, consider outsourcing them to a trusted vendor. If you need to reduce risks, focus on those areas with the highest risk exposure (E) and risk impact (R).