Risk Management: Back to the Basics, Part 2
Risk Management: Back to the Basics
Risk Management: Back to the Basics, Part 3
Part 2: Risk Criteria and Risk Assessment
Introduction:
After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. The following article provides simplified guidelines for the risk assessment process.
Definitions
Risk Criteria: Risk criteria can be defined as the point of reference which the implication of a risk is evaluated.
Risk Assessment: Risk Assessment is the overall process of risk identification, analysis and evaluation.
Risk Criteria
The first step in the risk assessment process is to determine the evaluation criteria for assets and threats. The evaluation criteria can be based on legal and regulatory requirements, the risk management policy set forth by your organization, as well as international standards. Risk criteria should be reviewed continuously to ensure its alignment with the aforementioned factors. As organizational objectives, regulatory requirements, or international standards change, so should risk criteria.
When defining risk criteria there are two approaches one can take. First, if time permits, scientific methods and statistical analysis can be used. Or, you can use quantitative judgment and intuition and identify criteria in terms of “Low, Medium, High, Very, Immense” with a scale of 1 to 5. For SME’s who do not have ample resources to commit to the analysis of statistics relating to risk criteria, we suggest a scale such as this as a starting point.
The next question, naturally, is what factors one should consider in regards to evaluation criteria. As a starting point, we suggest the following when implementing a risk management program for information security (please note, as mentioned, the criteria will be unique to your organization, the following factors, however can be applied to a wide range of organizations):
Asset Evaluation Criteria:
- Value: The financial worth of the asset;
- Confidentiality: The level of awareness or availability to the public that is acceptable;
- Integrity: The level of accuracy and completeness of information regarding the asset;
- Availability: The level an asset needs to be accessible and usable.
Threat Evaluation Criteria:
- Impact of Threat: The level of disruption the threat will cause, should it occur;
- Probability of Threat: The likelihood of the threat occurring;
- Vulnerability of Asset to the Threat: The weakness in an asset or group of assets.
Risk Assessment Process
After determining the business entity, identifying assets and threats, the next step in the risk management process is to complete a risk assessment. As stated above, risk assessment is the overall process of risk identification, analysis and evaluation. The risk assessment begins with evaluating your organization’s critical assets. As outlined above, a predetermined risk criterion should be utilized for this process. Critical assets and major threats should be evaluated using your organization’s risk criteria.
Next, similar to the asset evaluation process, you should evaluate the threats to each critical asset identified. In some cases, the same threat will threaten multiple assets.
After completing this analysis, an aggregate security risk level for each asset and the business entity can be determined.
For an example of how to complete this process, you can see how RM Studio, Risk Management Software computes these see the Calculations section of our User Manual.
The goal of the risk assessment process is to gain an understanding of the risk level to your assets and the business entity in question. A risk assessment will provide you with your organization’s greatest threats. This information can be utilized to develop the next two steps in the process, the gap analysis and the risk treatment plan, which will be covered in future posts.
