What is a cybersecurity risk assessment?
A cybersecurity risk assessment is an evaluation of an organization’s ability to protect its information and information systems from cyber threats. Organizations of all sizes—from small businesses to large enterprise operations—that utilize IT resources conduct cybersecurity risk assessments.
The objective of a cybersecurity risk assessment is to identify and analyze potential cyber threats to guide the allocation of resources to prevent and mitigate them, including setting security controls to protect IT resources. Providing a holistic view of IT resources, a cybersecurity risk assessment also helps security teams identify and prioritize gaps and areas for improvement to reduce vulnerabilities.
The scope and scale of cyber risk assessments is dictated by the number of systems and users as well as the potential damage that accompanies risk. For instance, a small business might process highly sensitive information, while a large organization may not.
Core components of a cybersecurity risk assessment typically include:
- Policy analysis that considers security procedures, IT policies, disaster recovery plans, business continuity plans, and risk management policies
- Data security analysis that evaluates how sensitive data is stored, classified, and secured as well as what access controls are in place
- Physical security analysis, such as the accessibility of power backup for emergencies, locks, cameras, and alarm systems
- Network analysis that reviews internal and external networks, switches, and routers as well as network segmentation, firewalls, and wireless networks
- Server security analysis that evaluates redundancy, malware protection, authentication, and authorization
- Third-party security analysis for third parties that have access to an organization’s systems
Why is a cybersecurity risk assessment important?
A cybersecurity risk assessment is important because it helps organizations take a proactive approach to threat mitigation and prevention. Additional potential benefits that make the assessment important include:
- Avoids compliance issues
- Ensures the optimal use of security efforts and resources
- Establishes risk baselines to help measure efficacy over time
- Facilitates the development of plans for responding to and recovering from a cyber attack
- Increases users’ security awareness
- Protects against loss or compromise of sensitive data
- Reduces costs associated with security incidents
How to get started with a cybersecurity risk assessment
Before initiating a cybersecurity risk assessment, it is important to develop a complete plan with processes that can:
- Identify potential threats and vulnerabilities
- Predict the impact of threats
- Provide threat mitigation and removal options
A cybersecurity risk assessment can be conducted by an in-house team or a third party. Whichever approach is taken, a critical success factor is putting the right team in place. The ideal team includes not just IT and security teams, but representatives from across the organization, including senior management.
Steps in a cybersecurity risk assessment
Step 1: Identify IT assets
All IT assets must be identified to conduct a comprehensive cybersecurity risk assessment. This includes technology infrastructure (i.e., physical and logical) and sensitive data created, stored, or transmitted by these systems. It is important to include third-party systems and services.
Step 2: Classify IT asset risk
Once IT assets have been identified and cataloged, they must be classified. This means reviewing each one and assessing the following:
- Financial risks posed
- Importance to operations
- Likelihood of being targeted by cybercriminals
- Potential for and repercussions from reputational damage
- Presence of sensitive and personally identifiable information (PII)
When classifying risks to IT assets, consider inherent and residual risks:
- Inherent risk is the level of risk before any controls are implemented to mitigate and eliminate risk.
- Residual risk is the risk that remains once controls have been implemented.
Risk analysis assigns priority to risks once they have been identified and cataloged. Among the considerations used for scoring in a cybersecurity risk assessment are the three elements of the CIA triad. These are:
- Confidentiality
This measurement focuses on the efficacy of systems and processes that ensure that confidential information is protected from unauthorized access. This score is usually calculated according to the amount and type of damage that would result if the data were compromised. - Integrity
This measures the accuracy, consistency, and reliability of information throughout its lifecycle. It takes into account the systems that store and process information. - Availability
This measures how quickly and easily authorized users can access the information they need.
To help prioritize resources, a score should consider inherent and residual risks and be assigned to each risk based on:
- Probability
- Impact
- Controls
Probability
Probability measures the likelihood of an asset succumbing to a risk in any given year. Probability does not consider the significance of a risk’s impact. A commonly used scoring scale used in a cybersecurity risk assessment to measure probability is the frequency of the risk manifesting itself.
- Certain (daily or multiple times a day)
- Likely (multiple times a week, but not daily)
- Possible (once a week)
- Unlikely (once a month)
- Rare (once a year or less)
Impact
The overall impact of risk is based on the severity or effect of a risk being instantiated. The cybersecurity risk assessment impact score should take into consideration the elements of the CIA triad.
These scores are generally associated with the impact of financial, operational, reputational, and strategic risks. The scoring scale usually used to measure impact is:
- Very high
- High
- Moderate
- Low
- Very low
Controls
The strength of controls is measured according to the breadth and efficacy of preventive and detective measures. The following criteria are used to measure the strength of controls for cybersecurity risk assessments.
Strong controls
- Adequate policies and procedures exist.
- Automated controls are in place.
- Effective manual controls are in place.
- Effective reliance on monitoring controls.
- Testing and audit results indicate that controls adequately protect the company from risk.
- Testing and audits reveal no risks.
Effective controls
- Adequate policies and procedures exist.
- Automated controls are in place.
- Effective manual controls are in place.
- Moderate reliance on monitoring controls.
- Testing or audits are performed with results indicating controls adequately protect the company from risk.
- Noted risk observations are related to process improvement opportunities.
Adequate controls
- Adequate policies and procedures exist.
- Moderate reliance on automated controls.
- Effective manual controls are in place.
- Low reliance on monitoring controls.
- Testing or audits are performed with results indicating that controls adequately protect the company from risk.
- Minor risk observations are noted.
- Several process improvement opportunities are noted.
Weak controls
- Adequate policies and procedures exist.
- Weak reliance on automated controls.
- Effective manual controls are in place.
- Low reliance on monitoring controls.
- Testing or audits are performed with results indicating controls adequately protect the company from risk.
- Minor risk observations are noted.
- Several process improvement opportunities are noted.
Inadequate controls
- No policies and procedures exist.
- No automated controls are in place.
- No manual controls are in place.
- Testing or audits have not been performed, or if performed, results indicate inadequate controls.
Step 4: Identify security controls
After scoring and prioritizing risks, the cybersecurity risk assessment covers identifying security controls to mitigate and eliminate threats. These controls include any type of safeguard or countermeasure used to avoid, detect, counteract, or minimize IT asset risks.
Security controls to consider include:
- Access management systems
- Administrative controls, such as auditing, data classification, and separation of duties
- Anti-malware software
- Authentication systems
- Encryption for data at rest and in transit
- Firewall configurations
- Intrusion detection systems and intrusion prevention systems (IDS/IPS)
- Multi-factor authentication
- Network segregation
- Password protocols
- Physical controls such as alarm systems, cameras, fences, and locks
- Ransomware protections
- Security education (e.g., phishing prevention)
- Vendor risk management
Step 5: Monitor and review effectiveness
The final step in a cybersecurity risk assessment focuses on prevention. It includes reviewing the overall findings and establishing systems to ensure that assessments are conducted on a regular basis.
Best practices for a cybersecurity risk assessment program recommend repeating the process at least once every year. This is easier if organizations use the information that is collected initially and keep it up to date. This includes:
- Data repositories
- Existing security controls
- Interactions of any systems with external services or vendors
- IT asset inventory of:
- Application portfolio for all current applications, tools, and utilities
- Physical assets, such as hardware, network, and communication components and peripherals
- Operating system information
- Security requirements, policies, and procedures
- System architectures, network diagrams, and data stored or transmitted by systems
Cybersecurity risk assessment resources
Cybersecurity and Infrastructure Security Agency (CISA) Cyber Security Evaluation Tool (CSET®)
The CISA CSET is an application that helps IT asset owners and operators evaluate operational technology and information technology security and conduct cybersecurity risk assessments. After completing the evaluation, organizations receive security and risk reports that present the assessment results in both a summarized and detailed manner. Organizations can manipulate and filter content to analyze findings with varying degrees of granularity to inform decisions related to security and risk.
Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System (US-CERT Alerts)
CISA US-CERT Alerts are offered as a free, subscription-based service that provides real-time reports on cyber incidents, security issues, vulnerabilities, and exploits. It supports a cybersecurity risk assessment with valuable information for evaluating the likelihood and impact of threats.
Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) Industry Alerts
FBI IC3 Industry Alerts are offered as a free, subscription-based service and provide regular cyber threat reports of breaches that have occurred and are suspected. Each report includes a description of the threat, indicators, and recommended mitigation techniques. Like CISA US-CERT Alerts, FBI IC3 Industry alerts also facilitate cybersecurity risk assessments.
Center for Internet Security Risk Assessment Method (CIS RAM)
The CIS RAM is a cybersecurity risk assessment method that helps organizations implement and assess their security posture against the CIS Critical Security Controls (CIS Controls) cybersecurity best practices.
Department of Defense (DoD) Risk Management Framework (RMF)
The DoD RMF defines guidelines that DoD agencies use to conduct cybersecurity risk assessments. RMF splits the cyber risk management strategy into six key steps—categorize, select, implement, assess, authorize, and monitor. The DoD RMF can be used by any organization to guide cybersecurity risk assessments.
Factor Analysis of Information Risk (FAIR) Framework
The FAIR Framework helps organizations conduct cybersecurity risk assessments. It is the only international standard that provides a quantitative model for information security and operational risk.
FAIR provides a cybersecurity risk assessment model for understanding, analyzing, and quantifying cyber risk and operational risk in financial terms. Unlike other frameworks, the FAIR Framework does not focus the output on qualitative color charts or numerical weighted scales.
International Organization for Standardization (ISO) / International Electrotechnical Commission
(IEC) 27001:2013 (ISO 27001)
ISO 27001 provides a comprehensive approach to information security management, including requirements for cybersecurity risk assessment and risk treatment. It includes specifications for a best-practice ISMS (information security management system) with a risk-based approach to information security risk management that addresses people, processes, and technology.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
The NIST Cybersecurity Framework provides critical infrastructure owners and operators with standards, guidelines, and best practices to manage cybersecurity risk. This framework maps cybersecurity functions to six references, including NIST 800-53 Rev. 5, International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, Control Objectives for Information and Related Technologies 5 Framework, Center for Internet Security Critical Security Controls (CIS CSC), and International Society of Automation (ISA) 62443-2-1:2009, and ISA 62443-3-3:2013.
Note that this document is not limited to critical infrastructure owners and can be used by any organization seeking to improve its cybersecurity and resiliency. It also provides information to help with cybersecurity risk assessments.
National Institute of Standards and Technology (NIST) Guide for Conducting Risk Assessments
The NIST Guide for Conducting Risk Assessments provides guidance for conducting a cybersecurity risk assessment of federal information systems and organizations. Having teams conduct a cybersecurity risk assessment on a regular and ongoing basis is intended to give organizational leaders a status of their security measures. Any organization can use the NIST Guide for Conducting Risk Assessments to support cybersecurity risk assessment efforts.
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
The NIST RMF provides a disciplined, structured, and flexible process for managing security and privacy risks. Any organization can use the NIST RMF to support cybersecurity risk assessment efforts.
Payment Card Industry Data Security Standard (PCI DSS) Risk Assessment Guidelines
The PCI DSS 4.0 requires all organizations that process and handle payment card data to conduct a formal cybersecurity risk assessment that identifies vulnerabilities, threats, and risks to their organization, especially their cardholder data environment (CDE). This requirement helps organizations identify, prioritize, and manage information security risks.
Service Organization Control Type 2 (SOC2)
SOC 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to help verify that organizations are securely managing client data. A SOC2 cybersecurity risk assessment is used to collect detailed information and assurance about the controls at an organization related to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
Comparing cybersecurity risk assessment frameworks
Each cybersecurity risk assessment framework varies in its approach and focus, with some aimed at compliance, others at financial risk, and others at threat prevention. Many organizations use a combination of these frameworks to address specific needs or regulatory requirements.
Quick view: Cybersecurity and Infrastructure Security Agency (CISA) Cyber Security Evaluation Tool (CSET®)
- Best for: providers of critical infrastructure services and other essential organizations that require customized assessments
- Objective: assess infrastructure security compliance with regulatory frameworks
- Type of assessment: self-assessment tool with questionnaires and report templates
Quick view: Center for Internet Security Risk Assessment Method (CIS RAM)
- Best for: medium to large organizations required to comply with specific industry standards
- Objective: assess operational security and ensure appropriate threat management systems are in place
- Type of assessment: self-assessments and those conducted by third parties to validate results for compliance reporting
Quick view: Department of Defense (DoD) Risk Management Framework (RMF)
- Best for: primarily used by U.S. federal and defense agencies and contractors, but applicable to private-sector organizations
- Objective: evaluate systems for identifying, assessing, and managing cybersecurity risks
- Type of assessment: six-step assessment that must be approved by designated officials, ensuring that systems meet specific security standards before they are authorized for use within DoD networks (can be used for self-assessments by private-sector organizations)
Quick view: Factor Analysis of Information Risk (FAIR) Framework
- Best for: organizations seeking financial quantification of risk
- Objective: conduct a quantitative risk management approach to assess the financial impact of cybersecurity risks
- Type of assessment: a quantitative model helps internal teams or third-party experts conduct a probabilistic risk assessment
Quick view: NIST Guide for Conducting Risk Assessments (NIST SP 800-30)
- Best for: federal agencies but applicable for private-sector organizations
- Objective: conduct cybersecurity risk assessments, including threat analysis, impact assessment, and risk treatment
- Type of assessment: self-assessments and those conducted by third parties to validate results for compliance reporting
Quick view: PCI DSS Cybersecurity Risk Assessment
- Best for: all organizations that handle cardholder information
- Objective: ensure the security of cardholder data for organizations processing credit card transactions
- Type of assessment: mandatory risk assessments, conducted by authorized third-party assessors as part of PCI DSS compliance
Quick view: Service Organization Control Type 2 (SOC 2)
- Best for: service providers, cloud and IT companies, and other organizations handling sensitive customer data
- Objective: demonstrates that an organization meets five Trust Services Criteria for managing customer data (i.e., data security, availability, processing integrity, confidentiality, and privacy)
- Type of assessment: requires an independent, third-party audit to verify that an organization meets specific criteria
Real-world examples of cybersecurity risk assessments
The following examples demonstrate how organizations use cybersecurity risk assessment frameworks.
Public utility company: CISA CSET®
A regional power company uses CISA’s CSET to evaluate its cybersecurity posture across critical infrastructure, including transmission networks (e.g., substations and transformers and industrial control systems (ICS). This cybersecurity risk assessment tool provides a structured assessment that identifies vulnerabilities based on industry standards and regulatory requirements.
Their CSET cybersecurity risk assessment helped the utility company pinpoint gaps in security controls and prioritize improvements to protect against cyber threats that could disrupt essential services. The updates, which were identified as part of the CSET cybersecurity risk assessment, resulted in enhanced risk resilience, improved cyber defenses, compliance with regulatory standards, and increased awareness amongst staff about the importance of understanding and monitoring cybersecurity risk.
Healthcare organization: CIS RAM
A metropolitan hospital uses the CIS RAM to align its security measures with the CIS Controls to ensure that protected health information (PHI) is effectively secured. Using CIS RAM, the hospital assesses risks based on its specific operational environment and administrative needs.
Depending on the outcome of the regular cybersecurity risk assessment exercises, the hospital determines which controls to implement based on acceptable risk levels and operational impact. By using the CIS RAM to guide cybersecurity risk assessment efforts, the hospital has built a risk-based approach to security that prioritizes resources effectively to protect patient data and comply with HIPAA and other data protection and data privacy regulations.
Defense contractor: DoD RMF
An online communications platform provider that wants to offer its solution to groups within the Department of Defense goes through the six DoD RMF steps to validate that its security systems meet standards. Because the data that the defense contractor will be handling is considered sensitive, the DoD RMF is used to evaluate potential risk levels (e.g., high or moderate) based on potential threats and the organization’s ability to defend against the risks.
Additionally, the defense contractor undergoes a formal authorization process to achieve Approval to Operate (ATO). Once the defense contractor completes the six-step cybersecurity risk assessment process, the DoD has validation that its system meets strict security requirements for maintaining compliance and safeguarding sensitive defense data against cyber threats.
Federal agency: NIST SP 800-30 for Conducting Risk Assessments
The Centers for Medicare and Medicaid Services (CMS) division of the U.S. Department of Health and Human Services (HHS) uses NIST SP 800-30 to guide regular risk assessments on its IT systems. CMS handles vast amounts of PHI and financial data related to Medicare and Medicaid beneficiaries and uses this cybersecurity risk assessment framework to ensure compliance with federal standards for data protection and data privacy.
NIST SP 800-30 helps the agency identify potential threats, vulnerabilities, and impacts related to sensitive information processed and stored in IT systems. The agency also uses NIST 800-30 to assess the likelihood and potential consequences of each risk scenario. Based on the findings of its regular cybersecurity risk assessment exercises, the agency develops a prioritized risk mitigation plan that enhances its ability to detect and respond to cyber threats and reduce vulnerabilities in accordance with federal requirements.
E-commerce company: PCI DSS Cybersecurity Risk Assessment
An online retailer regularly conducts a PCI DSS cybersecurity risk assessment to ensure compliance. The PCI DSS assessment evaluates risks associated with cardholder data storage, transmission, and processing, identifying gaps in data protection practices. Regularly undertaking this cybersecurity risk assessment not only meets compliance requirements but also helps the company strengthen its payment security infrastructure by assuring that encryption, access controls, and network segmentation are all optimized to reduce the risk of security breaches that could compromise personally identifiable information and sensitive payment data.
Software-as-a-service (SaaS) provider: SOC 2
A cloud service provider regularly undergoes a SOC 2 audit to demonstrate to customers that it has robust controls in place to protect client data. As part of the SOC 2 cybersecurity risks assessment process, the provider’s security measures are evaluated over time by an external auditor, who assesses controls related to data security, availability, and confidentiality.
The need for cybersecurity risk assessments
No matter what size it is, any organization with IT resources (i.e., almost every organization) needs to conduct cybersecurity risk assessments. The scale and frequency will depend on the organization, but some type of cybersecurity risk assessment plan is imperative. As noted above, many resources are available to support whatever type of cybersecurity risk assessment program is deemed appropriate.
