Cybersecurity risk assessments are an essential element to any information security program. But, as the technology landscape continues to evolve, ensuring your company’s data isn’t vulnerable to a potential threat has become slightly more complicated.

So, how do you get a comprehensive evaluation of your company’s vulnerability level? And, where do you start? Let’s look at some answers to these questions.

6 Essential Steps for an Effective Cybersecurity Risk Assessment

A great resource for learning how risk assessments are performed is The National Institute of Standards and Technology’s Guide for Conducting Risk Assessments. The NIST 800-30 Rev. 1 outlines these six steps for effective cybersecurity risk assessment:

1. Identify Threat Sources

The first step to an effective risk assessment is to identify and characterize threat sources. Some examples of the different categories included are “Adversarial Threats” (e.g. hostile nation-states and organized crime groups) and “Environmental Threats” (e.g. hurricanes and earthquakes). Several organizations offer comprehensive threat catalogues such as CMS, BSI, ENISA.

2. Identify Threat Events

The second step is identifying potential threat events, the relevance of the events, and correlate them to the appropriate threat sources. A few examples are phishing attacks, session hijacking, and forced physical entry—which is good, old-fashioned breaking and entering.

3. Identify Vulnerabilities

After identifying threat events, organizations must identify vulnerabilities and predisposing conditions affecting the likelihood that threat events will result in loss. NIST 800-30 helps by providing a taxonomy of predisposing conditions and some sample scales for establishing vulnerability in Appendix F. Organizations should consider conducting a current state analysis against a security framework. Example frameworks include NIST CSF, NIST SP 800-171, NIST 800-53, COBIT, and the ISO 27000 Series. It is also recommended that organizations conduct a technical penetration test to identify vulnerabilities.

4. Determine the Likelihood of Exploitation

The fourth step involves determining the likelihood of the selected threat events resulting in a loss. This is a fairly-involved process, which contains at least three sub-steps to arrive at a solid end result. Appendix G of NIST 800-30 contains all the information needed to complete the step.

5. Determine Probable Impact

This step is focused on determining the most likely impact of a loss event. Again, the steps are fairly involved, but detailed guidance is contained in Appendix H of NIST 800-30.

6. Calculate Risk as Combination of Likelihood and Impact

The last step in a risk assessment is to combine the likelihood and impact values calculated in steps 4 and 5 to arrive at a risk value. NIST 800-30 provides detail on how to use a 9-block matrix to accomplish this in Appendix I.

Want a Way to Automate the Process?

One of the most difficult aspects of risk assessments is managing the process. Although the technology landscape has evolved, many companies still rely on manual processes and Excel spreadsheets to manage the risk assessment process.

As cybersecurity advisors, we noticed the painstaking processes companies were using to manage their risk assessments, and we decided to create a solution to help eliminate the headache of writing reports, once an assessment is complete.

BALLAST is a risk assessment software we created to help companies manage risk assessments. Through BALLAST, you can generate a polished report suitable for auditors or executives with a single click. We also leverage the assessment methodology contained in NIST 800-30 and optimize BALLAST in ways that allow you to perform and track hundreds of assessments for different assets or vendors.

To learn more about how LBMC Information Security can help you fully understand your risks or how BALLAST can help you manage the risk assessment process, contact our team today.