Security: Risk Assessment (Notes)

The National Institute of Standards and Technology (NIST) produced the NIST Special Publication (SP) 800-30 to help conduct risk assessments.

A risk is where a threat intersects with vulnerability, e.g. where a vulnerability exists and is used by a threat. Threat sources can come in many forms such as:

  • Adversarial e.g., individuals, groups, organisations and states.
  • Accidental e.g., user taking making a mistake
  • Structural e.g., failure of equipment, environmental controls
  • Environmental e.g., natural or man made disasters that are outside of the control of the organisation

Vulnerabilities also come in many forms such as:

  • Unpatched software
  • Faulty door lock
  • Data centre built in the flood plain of a river

The risk is scored where a vulnerability (e.g., unpatched software with known CVE) overlaps with a threat (e.g., a hacking group that is actively targeting the organisation). If the vulnerability doesn’t overlap with the threat such as an adversarial threat and the vulnerability of the data centre’s location on a flood plain then the risk is very low.

The qualitative values (very low to very high) can be set against quantitative values:

Qualitative ValuesQuantitative ValuesQuantitative Values
Very High96 – 10010
High80 – 958
Moderate21 – 795
Low5 – 202
Very Low0 – 40

Quantitative Risk Calculation

Likelihood of event occurring – Annualised Rate of Occurrence (ARO)

Single Loss Expectancy (SLE) – what is the monetary loss if a single event occurs

Annual Loss Expectancy (ALE) – ARO x SLE

Risk Register

Identify and document the risk of each step in a project. Identify and document possible solutions before choosing the most apt solution and monitoring results.

Business Impact Analysis

What is the businesses objectives and what are the critical functions that help to achieve these objectives? If these functions were unavailable what would be impacted (legal requirements, customer service, monitory loss).

Risk Response

Avoidance – e.g., stop participating in activity

Transference – e.g., buy insurance

Acceptance – e.g., accept and document the risk

Mitigation – Decrease the risk (e.g. increase security)