A brief guide to cyber security risk assessments – IT Governance UK Blog
Cyber security risk assessments are essential for organisations to protect themselves from malicious attacks and data breaches.
After all, it’s only once you’re aware of the ways you’re vulnerable that you can put appropriate defences in place.
But what exactly does a risk assessment do? Essentially, it helps you answer these three questions:
- Under what scenarios is your organisation under threat?
- How damaging would each of these scenarios be?
- How likely is it that these scenarios will occur?
To complete a risk assessment, you must give each scenario that you identify a ‘risk score’ based on its potential damage and probability of occurring.
This can be calculated by assigning a number to progressively damaging/probable incidents. You should end up with a system for scoring risks that looks like this:
Organisations should use this scoring system to determine their ‘risk appetite’, i.e. the level of risk they are willing to accept.
Very few organisations have the means to address every risk, so this system helps them dedicate appropriate time and money to the biggest priorities.
In the example above, organisations would almost certainly address any risk that scored 12 or more but accept risks that scored 3 or less.
Their decision-making for risks in between would be influenced by the nature and size of the organisation and their resources.
Risk appetites should be reviewed regularly and whenever there are changes to the organisation’s cyber security budget or resources.
If you have the means to address a risk, there is no reason to continue considering it ‘acceptable’.
However, if you find yourself struggling to resolve problems that are in your risk appetite, you should consider raising your threshold (or budget) to make sure the highest priorities are dealt with sufficiently.
Advice on how to conduct a risk assessment
Our ISO22301 BCMS Documentation Toolkit features a risk assessment template to help you evaluate your organisation’s level of security and measure your risk appetite. It also includes a Risk Register/Treatment Plan to help you manage risks after you’ve identified them.
The toolkit is designed to help you comply with ISO 22301, which sets out the requirements for a BCMS (business continuity management system).
You can learn more about ISO 22301 on our website or by reading our free green paper: Business Continuity Management – The nine-step approach.
You might also be interested in our risk assessment software vsRisk, which provides a simple and fast way to identify relevant threats, and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Additionally, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of potential risks, and the built-in control sets help you comply with multiple frameworks.
A version of this blog was originally published on 21 April 2018.