Risk Assessment: Benefits, Best Practices and Pitfalls

Advantages of security risk assessment we often overlook

While most organizations define the key objective of risk assessment as identification of main business risks, an important result of a competent assessment is to train employees, which occurs during the assessment process. Interviews with individual employees or working groups help experts better understand business processes in their units, as well as better understand processes taking place in the adjacent units. Employees efficiency increases along with the increasing knowledge among them.

Risk assessment also makes key employees think in terms of business risks, and not only at the level of their responsibility. If they learn how to properly understand information security risks, it will be adequately translated into all their business solutions, and, of course, it will be advantageous to the company.

Best practices for successful risk assessment

First of all, we should understand that risk assessments are not carried out siloed. It requires the involvement of different groups of experts from across the company to assure the accuracy of the information obtained. Assessment experts often make wrong conclusions due to the lack of communication with the actual asset owner or the person responsible for a specific area of business. Thus, we may miss company critical risks making conclusions on business processes or information systems without having appropriate evidences.

Talking about best practices, there is no need to reinvent the wheel, there are quite a number of techniques and standards for information security risk assessment (e.g., ISACA’s Risk IT Framework, OCTAVE, NIST’s Risk Management Framework (RMF), ISO 27005).

However, some techniques may be too sophisticated for specific companies or not detailed enough for others.

When performing a risk assessment which is aimed to subsequently reduce unacceptable risks, there are basic steps that should be included in the scope of information security risk assessment and should be managed carefully:

  • Identification of technical vulnerabilities. It is necessary to conduct internal or external scanning and audit of Wi-Fi networks and Web services.
  • Audit of rights in the company’s critical systems within the scope of assessment
  • Studying the assessments on company’s conformity with requirements of various information security documents

Risk assessment will be the most effective when the main goal is to identify key risks that could seriously affect the company. When the assessment process reveals necessary information, there are many ways to go deeper in the study of certain aspects, but you should focus only on those areas that can really affect business processes. Do not waste your and your colleagues’ time on studying the details which will not eventually reduce the level of risks.

One of the main mistakes made by companies in the analysis of information security risks is the allocation of resources for the assessment without the allocation of resources to reduce the level of risk. Assessment gives us useful information on areas to be improved. However, the assessment itself does not solve the company issues. If you conduct a risk assessment, you should understand that the situation will remain the same as long as you do not define and implement risk management controls.

Stereotypes of IT personnel about information security risk assessment

Some IT professionals still believe that information security risks are related only to the security of information systems, and these people always expect only technical findings as a result of assessments. From this point of view, they are confident that the assessment is carried out only in order to develop a technical activities plan to resolve all issues. This is not so. The resulting pattern of information security risks is often closely linked to the business processes and requires serious actions to modify them. Also, do not forget about the organizational activities, which should be implemented as a result of information security risk assessment.

Technicians often believe that in order to reduce the level of risk it is enough to change the hardware configuration or settings of application software, but the whole point may lie in the correctness of the business process itself. Therefore, to achieve goals of information security risk assessment, the company risk assessment expert must have sufficient authority to implement the right controls to reduce risks.

How to interpret risk assessment results and then correctly decide on risk mitigation activities

The main thing is consistency. No matter if you assess risks in qualitatively or in monetary terms, the approach to the assessment should be the same. The criteria to assess feasibility of realization and impact severity should be identical in order to ensure that the impact caused by the realization of various risks is compared properly. Otherwise, we can get misplaced priorities for risk mitigation.

Involving third parties for risk assessment is a good way to reach objectivity of results and correctness of their interpretation.

In addition, company should have a unified policy on risk assessment, which will help organize the assessment process and gather the right people to interview in a short time.

Use of specialized tools to assess information security risks

At present, there are software tools in the market that help professionals in the analysis and assessment of information security risks, as well as in building of appropriate threat models. Although some information security managers still perform this work with the help of spreadsheets and argue that it is convenient for them.

The main advantages of the risk assessment with the help of software tools:

  • All assessments are aggregated at one place. This is useful for displaying the results of analysis and risk assessment, as well as for tracking the dynamics of the actual risk pattern.
  • Some products contain ready information security threat databases. This is very useful for those who are just starting to engage in risk assessment. As practice shows, each new assessment reveals threats that are specific to a particular company. Thus, based on a ready-made threat database, we will eventually get the model of information security threats specific to our organization.
  • Most systems provide the ability to control those requirements that are specific to the area of your business and affect the final risk pattern. Thus, the issue regarding compliance procedures is addressed as well.
  • Work flow functionality is very useful for quick assessment of the assets involved in information security risk assessment. That means, it is sufficient to hold a general meeting with all the staff belonging to the working group, conduct training if necessary, and then continue interaction in the framework of the tool, receiving the required assessments from each of the working group members. This essentially saves the time to collect information
  • Budget planning functionality is also useful for reducing the levels of critical risks and for adding the appropriate controls. Again, everything is located in one place and can be easily controlled.
  • Almost all of the risk assessment tools provide the ability to display a variety of dashboards, which is useful for protecting information security budgets or for timely presentation of any data on information security risks.

When choosing a solution for risk assessment process automation, it is necessary to ensure that it provides the possibility of building the assessment process in accordance with the procedure that you have defined for yourself. Some software products even have an option to create your own custom assessment, or select from several presets.