Risk assessment is crucial component of risk management processes in an organization. Moreover, risks are negative things whereby adverse events or threats may exploit vulnerabilities in organizational assets. Risk is a Cartesian product of threats, vulnerabilities and asset values. Before conducting risk assessment procedures, organizations should have complete inventory of each asset. Then, the value of each asset must be calculated based on different techniques through a process known as asset valuation.
After a complete inventory and valuation processes, organizations will explore the threat landscape of each asset based on asset-threat pairing analysis. Besides, risk assessment process will begin with risk identification of each asset. Once risks are identified, organizations will analyze each risk based on quantitative and qualitative analysis techniques. Moreover, the analyzed risks will be compared against acceptable or tolerable organizational risks via risk evaluation process. Once each risk is evaluated, organizations will treat each risk according its severity level. Furthermore, risk treatment or risk response involves four major options. Organizations can choose to Mitigate, Avoid, Transfer, or Accept risk based on tolerance levels set by senior management.
- Mitigation: In this option, organizations decide to do something to reduce the level of a risk to an acceptable level through Administrative/Management, Technical/Logical, or Physical/operational security controls. The most common mitigation strategies may include reengineering processes, deploying safeguards, or conducting security awareness training.
- Avoid: The second risk treatment option will be it avoid through different mechanisms. This may be realized by removing or disabling the assets that caused the risk to occur in the first place. Risk avoidance may occur due to an organization’s decision to cease the things or services that are considered to be the source of the risk.
- Transfer: Organizations may share the risk through a treatment option known as risk transfer. In this risk response option, organization may choose to assign the risk to third party. This may be in term of cyber insurance, cloud adoption, and related approaches.
- Acceptable: Senior management of an organization may choose to accept risk for cost infeasibility or technical impossibility reasons. This treatment option may be selected if the risk is within the acceptable risk threshold and the treatment option costs more than the asset value.
- Rejection: Risk rejection or ignoring is completely unacceptable and organizations should not consider as a risk treatment option.
Risk assessment is complemented by other assessment methods such as vulnerability assessment and similar security evaluation processes.