Risk Analysis

Risk analysis helps organizations secure sensitive information, protect its image and reputation, and meet compliance requirements. A formal risk analysis process includes identifying risk areas and implementing controls to reduce risks to acceptable levels.

The first step in the process is to identify assets that need protection. The assets can be tangible or intangible and generally provide value to the organization. Examples of tangible assets include buildings, employees, computer and network servers, etc. Examples of intangible assets may include intellectual property, custom software presently installed and under development, customer lists, goodwill, etc.

Once the assets have been identified, you will want to identify threats to the assets. The threats can be unintentional or intentional and may include:

• Natural threats (acts of God)
• Accidental or unintentional threats (worker illness, equipment failure)
• Intentional threats such as asset theft and asset tampering (malicious damage)

For each threat, there may be one or more specific vulnerabilities. Vulnerabilities may be based upon location, employee skill sets, network access controls, network monitoring, etc. Examples of vulnerabilities include lack of employee security related education, user knowledge, security functionality, poor password selection by employees, etc. Once a vulnerability has been identified, you should determine how likely it is to occur (probability).

Once your assets, threats, and vulnerabilities have been identified, you can then evaluate the potential impact or loss. Examples of impact can include the cost of downtime, loss of information, breach of legislation, impact on reputation, loss of opportunity, etc. For each asset, consider the asset value, specific vulnerability, and probability of the event.

The next step in the risk analysis process is to develop controls that help eliminate risks or reduce them to an acceptable levels.

Risk assessments help organizations identify, manage, and reduce their risks.