How to perform an IT risk assessment (in a nutshell)


How to perform an IT risk assessment (in a nutshell)

Ensuring your network is well protected is key to almost any business in today’s environment. But how are you able to measure whether or not your network is protected from all threats? How do you know that the controls you have in place are proportionate in relation to the risks to your network? There is no point in overspending and committing excess resource to protect an asset that is of no use to your organisation or that you don’t care to protect. This article looks at how to perform an IT risk assessment effectively, and provides insights to one of the preferred methodologies for identifying risk.

The first step is to identify what it is you are trying to protect? For example, is your network flat and any breach would result in an entire compromise of everything on the network, or have you segregated the network into security zones where you can apply further controls to those zones with the crown jewels in? Do your most valuable assets reside within the physical perimeter of your premises? If so, how are you protecting these? The best way to start is with an asset register, identifying all those assets that mean something to your organisation and that, if lost, would result in impacts to your business.

With an asset register in hand, you can begin to score assets based on their value to you. Best practice is to score assets on their confidentiality, integrity and availability impact scores – that is, what the impact to the organisation would be if any of these properties were compromised. Let’s take an example. Let’s say you have a web server that hosts your web content that is publicly accessible, not hugely sensitive and backed up within your corporate network. Chances are, the biggest impact to this would be in terms of availability as if this goes down your customers cannot get your website. Confidentiality impacts would be low as this is publicly available information and you always have backups of this data.

Once you have scored your assets based on their value (or impact) to the organisation, you can begin to assess the threats that face your organisation. This is best achieved by consulting others within the organisation as well as conducting open source research and even reviewing previous incidents/logs to identify attacks that have occurred in the organisation. Typical threats may include malicious insiders such as disgruntled employees or “hacktivists” – those wishing to prove a point and take down the organisation as they may not agree with what it stands for. You should compile a list of your highest threats and determine how likely these threats are to have an impact on your organisation. Some risk assessment methodologies consider motivation and capability as factors. For example, a highly motivated threat actor may be willing to spend more time, money and resources at trying to breach your organisation – this significantly ramps up the threat scoring. Additionally, threat actors with increased capability represent a higher threat than those just looking for the low hanging fruit. Be realistic with your threats, if you are small to medium enterprise with minimal turnover, the likelihood is you are not going to be targeted by nation state threat actors.

Once you understand both the impact that loss or compromise of your assets may have and the threat likelihoods you can perform a simple calculation (if using a quantitative approach) or an informed, written guess as to what your top risks are. Some organisations tend to use the formula RISK = IMPACT * THREAT LIKELIHOOD. This methodology will result in the highest risks being threats that are likelihood to happen with a high impact on the organisation. The point is, if you take away one of these points, or there is a 0, there is no risk. For example, if you have a significantly high impact on the organisation e.g. catastrophic, but there is no chance of this ever occurring, then there is no risk.

With a set of risks in hand you can begin to focus your remediation efforts. This may take the form of technical, procedural, personnel or policy based controls. For sufficient defense in depth it is always recommended that your controls take the form of multiple controls to reduce the likelihood that an attack will be successful.

Using this method of how to perform an IT risk assessment, organisations can be sure that the money they are spending on security is proportionate and in response to an identified risk. Without a consistent approach, organisations risk overspending on controls that may not be necessary or missing important aspects of security.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *