Lessons for Conducting a Computer Security Risk Assessment

As part of their security strategy, organizations should continuously assess the risks within their IT function and technology infrastructure. Vincenzo Casillo, principal at Cedar Management Consulting, explains how an IT risk assessment framework can help reduce and mitigate risk.

Information Security Risk Assessment (ISRA) is the process undertaken to identify, prioritize and analyze the risk to the availability, integrity and confidentiality of data and their information systems. Adopting a systematic approach to information security risk management aligned with overall enterprise risk management is generally important for all organizations, especially those that rely heavily on IT and customer data to provide their services.

Since technology risk permeates the operations of all business functions, ISRA should be based on a holistic approach. In practice, there is no one-size-fits-all model, due to the diversity of how IT risks are captured, assessed and addressed in every business. However, there are few general guidelines that organizations will need to follow when successfully completing an IT risk assessment exercise.

To begin with, the execution of ISRA should not be limited to cybersecurity, but should cover all cyber threats, including physical damage, unauthorized actions, natural disasters, technical failures and loss of services. essential. To better clarify the meaning of all these threats, basically:

  • cybersecurity threats refer to electronic threats that aim to compromise business information (for example, hackers carrying out activities of a criminal nature – such as fraudulent attacks);
  • physical threats result from physical access to or damage to computer resources, and may include theft, damage from fire or flood, or unauthorized access to confidential data by an employee or outside person;
  • technical failure threats refer to software bugs, computer failures or computer component failures;
  • infrastructure failure threats refer to loss of connectivity that can interrupt business;
  • The threat of human error is any accidental incident caused by a human during business operations.

Given the multitude of threats, the challenge for IT risk managers in all sectors is to establish a sustainable and effective risk mitigation strategy: in other words, to achieve optimal security at a reasonable cost.

Initially, the assessment stems from the definition and maintenance of an inventory of IT assets which constitutes the work scope of the assessment. Although the term “IT asset” may lead to think of hardware and software in the first place, it actually encompasses everything of value in the organization that needs protection, including IT processes, people and know-how.

From this perspective, determining how critical each asset is in the business value chain is the very first step that allows organizations to allocate their resources to what needs attention.

IT security assessment methodologies can be quantitative, qualitative or a mixture of both and there are several guidelines available in the literature to drive them, mainly ISO 27005, COBIT 5, OCTAVE, NIST 800-39. The choice of which model to adopt and how to do it depends mainly on the availability of data, the timetable for carrying out the exercise and the information expected in the final risk assessment report.


A quantitative assessment measures risk using monetary amounts and numerical data, including the frequency of occurrence of the risk, the value of the asset, and the associated probability of loss. For example, in the event of a server failure, it would take into account the cost of a server and its connected revenue, the historical observation of its failures, and the estimated loss incurred with each failure.

The key calculations that are usually performed while processing the measured data are usually the one-time loss expectation (costs to be incurred if the incident occurs once); the annual occurrence rate (how many times the risk can be expected to occur during the year) and the annual loss expectation (which is the total value of the risk that is expected to occur over a year).

In quantitative assessments, monetary results are key indicators to drive risk mitigation investments on material threats (the “very likely” cases that can be expensive to solve or negatively affect the business). Focusing on the materiality of the threat is a key principle for effective risk strategies, which discourages the use of resources to address risks with negligible impacts. Cost/benefit analysis is generally used to determine the level of investment needed to make risk treatment profitable.

Although quantitative measurement may seem very appealing at first, the IT risk manager should consider very carefully the availability of current and historical data (probability and cost estimates) before embarking on this approach.


The second way to perform risk analysis is to use a qualitative measurement model. This risk assessment approach relies on subjective judgment to rank risks based on a scale of likelihood of occurrence and impact, typically on a low-medium-high scale.

The same can be done with regard to cost and impact. Once the ratings are determined, the Risk Assessment Matrix is ​​created to help categorize the risk levels for each risk event. Such a classification can help the IT risk manager make the right decision – deciding which risks to mitigate with controls, which to accept and which to transfer.


The third way to perform an IT risk assessment is to use a hybrid approach, which combines elements of quantitative and qualitative analysis. Quantitative data can be used to assess asset value and loss expectation, as well as engage business stakeholders to get their expert opinions. Although this approach may require more effort and time, it can result in a better understanding of the risks and better information than either method would provide on its own.

Once the risks have been identified, assessed and prioritized, they must be dealt with. If the risks cannot be removed or reduced to an acceptable level, the impact of potential incidents can be offset (for example, by establishing procedures for detecting problems or taking out insurance against the cost of security breaches).

Establishing an effective IT risk assessment is certainly no short journey in terms of the time and effort required to build the approach and maintain the model applied consistently, however, innovative solutions such as Automated and configurable tools can help IT risk managers looking to drive this. exercise effectively.

There are several IT risk management suites on the market. Some of these include: “Archer IT Security and Risk Management” from RSA, “Highbond” from Galvanize, “ServiceNow Governance Risk and Compliance” from ServiceNow, “Lockpath” from NAVEX Global, “Metricstream IT Risk Management” from Metricstream, “OpenPages” by IBM, “Insight Risk Management” by Allgress and “OneTrust IT & Security Risk Management” by OneTrust.

IT risk management tools typically offer a basic suite of applications including a centralized controls library that maps controls to processes, risks, and regulations; a self-assessment and testing module that allows to plan and design self-assessments and control tests with predefined questionnaires and surveys; a remediation and troubleshooting module where deficiencies are identified, documented and tracked through to resolution; graphical dashboards and reports with graphs and test results; the ability to configure the risk scoring methodology, which is the ability to adjust the values ​​and range for a custom measure of risk.

The most advanced solutions also leverage intelligent process automation capabilities to connect enterprise data and maintain a live data ecosystem by integrating data sources into business applications and processes, reducing related effort. data collection during the evaluation phase.

In conclusion

In conclusion, IT risk assessment is a complex, organization-wide exercise that needs to be carefully planned and thought out. Its effectiveness depends on how well the risk model fits the business and its ability to quickly identify, report and address key risks. Leveraging IT risk assessment tools is an opportunity to standardize assessments and ensure thorough and systemic application of the IT risk management model.

Comments are closed.