Risk assessment is
|“||the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Risk assessment is performed to provide an estimate of the damage, loss, or harm that could result from a failure to successfully complete a project.||”|
|“||the process engaged in by an organization to analyse, evaluate and understand the spectrum of risks, their potential likelihood and their severity in order to enable it to act to mitigate unacceptable risk to the organization.||”|
|“||[a] systematic examination of risk using disciplined processes, methods, and tools. A risk assessment provides an environment for decision makers to evaluate and prioritize risks continuously and to recommend strategies to remediate or mitigate those risks.||”|
|“||[the] product or process which collects information and assigns values to risks for the purpose of informing priorities, developing or comparing courses of action, and informing decision making.||”|
|“||a means of providing decisionmakers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments.||”|
Risk assessment is used to determine the extent of potential threats and risks associated with an IT system throughout its lifecycle. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place.
Regardless of the types of risk being considered, all risk assessments generally include the following elements.
- Identifying threats that could harm and, thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters.
- Estimating the likelihood that such threats will materialize based on historical information and judgment of knowledgeable individuals.
- Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important.
- Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materializes, including recovery costs.
- Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls.
- Documenting the results and developing an action plan.
Risk assessments can be accomplished in a variety of ways depending on the specific needs of the organization. To do a risk assessment, one must consider the following risk conditions, in which the data
- could be used to inform legislation, policy, or a program that could have substantial effect;
- could be used to inform important decisions by individuals or organizations with an interest in the subject;
- will be the basis for numbers that are likely to be widely quoted;
- are relevant to a sensitive or controversial subject; and
- have been judged for their quality by experts or external stakeholders who have taken positions on the information.
NIST Special Publication 800-30 identifies nine major activities to be conducted in the development of the risk assessment:
- NIST Special Publication 800-53, at B-11.
- Partnering for Cyber Resilience: Risk and Responsibility in a Hyperconnected World-Principles and Guidelines, at 14.
- Department of Defense, DoD Directive (DoDD) 3020.40, Glossary, at 20 (Jan. 14, 2010) (full-text).
- DHS Risk Lexicon, at 28.
- Information Security Risk Assessment: Practices of Leading Organizations, at 6.
- NIST Special Publication 800-30 provides guidance on the assessment of risk as part of an overall risk management process.