What is a cybersecurity risk assessment?
A cybersecurity risk assessment is an evaluation of an organization’s ability to protect its information and information systems from cyber threats. The objective is to identify and analyze potential cyber threats to guide the allocation of resources to prevent and mitigate them, including setting security controls to protect IT resources. Providing a holistic view of IT resources, a cybersecurity risk assessment also helps security teams identify and prioritize gaps and areas for improvement to reduce vulnerabilities.
Organizations of all sizes—from small businesses to large enterprise operations—that utilize IT resources conduct cybersecurity risk assessments.
The scope and scale of the assessments is dictated by the number of systems and users as well as the potential damage that accompanies risk. For instance, a small business might process highly sensitive information, while a large organization may not.
Core components of a cybersecurity risk assessment typically include:
- Policy analysis that considers security procedures, IT policies, disaster recovery plans, business continuity plans, and risk management policies
- Data security analysis that evaluates how sensitive data is stored, classified, and secured as well as what access controls are in place
- Physical security analysis, such as the accessibility of power backup for emergencies, locks, cameras, and alarm systems
- Network analysis that reviews internal and external networks, switches, and routers as well as network segmentation, firewalls, and wireless networks
- Server security analysis that evaluates redundancy, malware protection, authentication, and authorization
- Third-party security analysis for third parties that have access to an organization’s systems
Why is a cybersecurity risk assessment important?
A cybersecurity risk assessment is important because it helps organizations take a proactive approach to threat mitigation and prevention. Additional benefits that make the assessment important include:
- Avoids compliance issues
- Ensures the optimal use of security efforts and resources
- Establishes risk baselines to help measure efficacy over time
- Facilitates the development of plans for responding to and recovering from a cyber attack
- Increases users’ security awareness
- Protects against loss or compromise of sensitive data
- Reduces costs associated with security incidents
How to get started with a cybersecurity risk assessment
Before initiating a cybersecurity risk assessment, it is important to develop a complete plan with processes that can:
- Identify potential threats and vulnerabilities
- Predict the impact of threats
- Provide threat mitigation and removal options
A cybersecurity risk assessment can be conducted by an in-house team or a third party. Whichever approach is taken, a critical success factor is putting the right team in place. The ideal team includes not just IT and security teams, but representatives from across the organization, including senior management.
Steps in a cybersecurity risk assessment
Step 1: Identify IT assets
All IT assets must be identified to conduct a comprehensive cybersecurity risk assessment. This includes technology infrastructure (i.e., physical and logical) and sensitive data created, stored, or transmitted by these systems. It is important to include third-party systems and services.
Step 2: Classify IT asset risk
Once IT assets have been identified and cataloged, they must be classified. This means reviewing each one and assessing the following:
- Financial risks posed
- Importance to operations
- Likelihood of being targeted by cybercriminals
- Potential for and repercussions from reputational damage
- Presence of sensitive and personally identifiable information (PII)
When classifying risks to IT assets, consider inherent and residual risks:
- Inherent risk is the level of risk before any controls are implemented to mitigate and eliminate risk.
- Residual risk is the risk that remains once controls have been implemented.
Risk analysis assigns priority to risks once they have been identified and cataloged. Among the considerations used for scoring in a cybersecurity risk assessment are the three elements of the CIA Triad. These are:
- Confidentiality
This measurement focuses on the efficacy of systems and processes that ensure that confidential information is protected from unauthorized access. This score is usually calculated according to the amount and type of damage that would result if the data were compromised. - Integrity
This measures the accuracy, consistency, and reliability of information throughout its lifecycle. It takes into account the systems that store and process information. - Availability
This measures how quickly and easily authorized users can access the information they need.
To help prioritize resources, a score should consider inherent and residual risks and be assigned to each risk based on:
- Probability
- Impact
- Controls
Probability
Probability measures the likelihood of an asset succumbing to a risk in any given year. Probability does not consider the significance of a risk’s impact. A commonly used scoring scale used in cybersecurity risk assessments to measure probability is the frequency of the risk manifesting itself.
- Certain (daily or multiple times a day)
- Likely (multiple times a week, but not daily)
- Possible (once a week)
- Unlikely (once a month)
- Rare (once a year or less)
Impact
The overall impact of risk is based on the severity or effect of a risk being instantiated. The cybersecurity risk assessment impact score should take into consideration the elements of the CIA Triad.
These scores are generally associated with the impact of financial, operational, reputational, and strategic risks. The scoring scale usually used to measure impact is:
- Very high
- High
- Moderate
- Low
- Very low
Controls
The strength of controls is measured according to the breadth and efficacy of preventive and detective measures. The following criteria are used to measure the strength of controls for cybersecurity risk assessments.
- Strong
- Effective
- Adequate
- Weak
- Inadequate
- Adequate policies and procedures exist.
- Automated controls are in place.
- Effective manual controls are in place.
- Effective reliance on monitoring controls.
- Testing and audit results indicate that controls adequately protect the company from risk.
- Testing and audits reveal no risks.
- Adequate policies and procedures exist.
- Automated controls are in place.
- Effective manual controls are in place.
- Moderate reliance on monitoring controls.
- Testing or audits are performed with results indicating controls adequately protect the company from risk.
- Noted risk observations are related to process improvement opportunities.
- Adequate policies and procedures exist.
- Moderate reliance on automated controls.
- Effective manual controls are in place.
- Low reliance on monitoring controls.
- Testing or audits are performed with results indicating that controls adequately protect the company from risk.
- Minor risk observations are noted.
- Several process improvement opportunities are noted.
- Adequate policies and procedures exist.
- Weak reliance on automated controls.
- Effective manual controls are in place.
- Low reliance on monitoring controls.
- Testing or audits are performed with results indicating controls adequately protect the company from risk.
- Minor risk observations are noted.
- Several process improvement opportunities are noted.
- No policies and procedures exist.
- No automated controls are in place.
- No manual controls are in place.
- Testing or audits have not been performed, or if performed, results indicate inadequate controls.
Step 4: Identify security controls
After scoring and prioritizing risks, the cybersecurity risk assessment covers identifying security controls to mitigate and eliminate threats. These controls include any type of safeguard or countermeasure used to avoid, detect, counteract, or minimize IT asset risks.
Security controls to consider include:
- Access management systems
- Administrative controls, such as auditing, data classification, and separation of duties
- Anti-malware software
- Authentication systems
- Encryption for data at rest and in transit
- Firewall configurations
- Intrusion detection systems and intrusion prevention systems (IDS/IPS)
- Multi-factor authentication
- Network segregation
- Password protocols
- Physical controls such as alarm systems, cameras, fences, and locks
- Ransomware protections
- Security education (e.g., phishing prevention)
- Vendor risk management
Step 5: Monitor and review effectiveness
The final step in a cybersecurity risk assessment focuses on prevention. It includes reviewing the overall findings and establishing systems to ensure that assessments are conducted on a regular basis.
Best practices for cybersecurity risk assessments recommend repeating the process at least once every year. This is easier if organizations use the information that is collected initially and keep it up to date. This includes:
- Data repositories
- Existing security controls
- Interactions of any systems with external services or vendors
- IT asset inventory of:
- Operating system information
- Security requirements, policies, and procedures
- System architectures, network diagrams, and data stored or transmitted by systems
- Application portfolio for all current applications, tools, and utilities
- Physical assets, such as hardware, network, and communication components and peripherals
Cybersecurity and Infrastructure Security Agency (CISA) Cyber Security Evaluation Tool (CSET®)
The CISA CSET is an application that helps IT asset owners and operators evaluate operational technology and information technology security and conduct cybersecurity risk assessments. After completing the evaluation, organizations receive security and risk reports that present the assessment results in both a summarized and detailed manner. Organizations can manipulate and filter content to analyze findings with varying degrees of granularity to inform decisions related to security and risk.
Cybersecurity and Infrastructure Security Agency (CISA) National Cyber Awareness System (US-CERT Alerts)
CISA US-CERT Alerts are offered as a free, subscription-based service that provides real-time reports on cyber incidents, security issues, vulnerabilities, and exploits. It supports cybersecurity risk assessments with valuable information for evaluating the likelihood and impact of threats.
Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) Industry Alerts
FBI IC3 Industry Alerts are offered as a free, subscription-based service and provide regular cyber threat reports of breaches that have occurred and are suspected. Each report includes a description of the threat, indicators, and recommended mitigation techniques. Like CISA US-CERT Alerts, FBI IC3 Industry alerts also facilitate cybersecurity risk assessments.
Center for Internet Security Risk Assessment Method (CIS RAM)
The CIS RAM is a cybersecurity risk assessment method that helps organizations implement and assess their security posture against the CIS Critical Security Controls (CIS Controls) cybersecurity best practices.
Department of Defense (DoD) Risk Management Framework (RMF)
DoD RMF defines guidelines that DoD agencies use to conduct cybersecurity risk assessments. RMF splits the cyber risk management strategy into six key steps—categorize, select, implement, assess, authorize, and monitor. The DoD RMF can be used by any organization to guide cybersecurity risk assessments.
Factor Analysis of Information Risk (FAIR) Framework
The FAIR Framework helps organizations conduct cybersecurity risk assessments. It is the only international standard that provides a quantitative model for information security and operational risk.
FAIR provides a cybersecurity risk assessment model for understanding, analyzing, and quantifying cyber risk and operational risk in financial terms. Unlike other frameworks, the FAIR Framework does not focus the output on qualitative color charts or numerical weighted scales.
International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001:2013 (ISO 27001)
ISO 27001 provides a comprehensive approach to information security management, including requirements for cybersecurity risk assessment and risk treatment. It includes specifications for a best-practice ISMS (information security management system) with a risk-based approach to information security risk management that addresses people, processes, and technology.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
The NIST Cybersecurity Framework provides critical infrastructure owners and operators with standards, guidelines, and best practices to manage cybersecurity risk. This framework maps cybersecurity functions to six references, including NIST 800-53 Rev. 5, International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001:2013, Control Objectives for Information and Related Technologies 5 Framework, Center for Internet Security Critical Security Controls (CIS CSC), International Society of Automation (ISA) 62443-2-1:2009, and ISA 62443-3-3:2013.
Note that this document is not limited to critical infrastructure owners and can be used by any organization seeking to improve its cybersecurity and resiliency. It also provides information to help with cybersecurity risk assessments.
National Institute of Standards and Technology (NIST) Guide for Conducting Risk Assessments
The NIST Guide for Conducting Risk Assessments provides guidance on conducting cybersecurity risk assessments of federal information systems and organizations. Regular and ongoing risk assessments are intended to give organizational leaders a status of their security measures. Any organization can use the NIST Guide for Conducting Risk Assessments to support cybersecurity risk assessment efforts.
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
The NIST RMF provides a disciplined, structured, and flexible process for managing security and privacy risks. Any organization can use the NIST RMF to support cybersecurity risk assessment efforts.
Payment Card Industry Data Security Standard (PCI DSS) Risk Assessment Guidelines
The PCI DSS 4.0 requires all organizations that process and handle payment card data to conduct a formal cybersecurity risk assessment that identifies vulnerabilities, threats, and risks to their organization, especially their cardholder data environment (CDE). This requirement helps organizations identify, prioritize, and manage information security risks.
Service Organization Control Type 2 (SOC2)
SOC 2 is a trust-based cybersecurity framework and auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to help verify that organizations are securely managing client data. SOC2 is used for cybersecurity risk assessments to collect detailed information and assurance about the controls at an organization related to the security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.
The need for cybersecurity risk assessments
No matter what size it is, any organization with IT resources (i.e., almost every organization) needs to conduct cybersecurity risk assessments. The scale and frequency will depend on the organization, but some type of cybersecurity risk assessment plan is imperative. As noted above, many resources are available to support whatever type of cybersecurity risk assessment program is deemed appropriate.