Basic Elements of the Risk Assessment Process

Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk. For example, bank officials have conducted risk assessments to manage the risk of default associated with their loan portfolios, and nuclear power plant engineers have conducted such assessments to manage risks to public health and safety. As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, all risk assessments generally include the following elements.

 ·         Identifying threats that could harm and, thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters.

·         Estimating the likelihood that such threats will materialize based on historical information and judgment of knowledgeable individuals.

·         Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important.

·         Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materializes, including recovery costs.

·         Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls.

·         Documenting the results and developing an action plan.

 There are various models and methods for assessing risk, and the extent of an analysis and the resources expended can vary depending on the scope of the assessment and the availability of reliable data on risk factors. In addition, the availability of data can affect the extent to which risk assessment results can be reliably quantified. A quantitative approach generally estimates the monetary cost of risk and risk reduction techniques based on (1) the likelihood that a damaging event will occur, (2) the costs of potential losses, and (3) the costs of mitigating actions that could be taken. When reliable data on

likelihood and costs are not available, a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium, and low. In this regard, qualitative assessments depend more on the expertise, experience, and judgment of those conducting the assessment. It is also possible to use a combination of quantitative and qualitative methods.