A great resource for learning how risk assessments are performed is The National Institute of Standards and Technology’s Guide for Conducting Risk Assessments. The NIST 800-30 Rev. 1 outlines these six steps for effective cybersecurity risk assessment:
1. Identify Threat Sources
The first step to an effective risk assessment is to identify and characterize threat sources. Some examples of the different categories included are “Adversarial Threats” (e.g. hostile nation-states and organized crime groups) and “Environmental Threats” (e.g. hurricanes and earthquakes). Several organizations offer comprehensive threat catalogues such as CMS, BSI, ENISA.
2. Identify Threat Events
The second step is identifying potential threat events, the relevance of the events, and correlate them to the appropriate threat sources. A few examples are phishing attacks, session hijacking, and forced physical entry—which is good, old-fashioned breaking and entering.
3. Identify Vulnerabilities
After identifying threat events, organizations must identify vulnerabilities and predisposing conditions affecting the likelihood that threat events will result in loss. NIST 800-30 helps by providing a taxonomy of predisposing conditions and some sample scales for establishing vulnerability in Appendix F. Organizations should consider conducting a current state analysis against a security framework. Example frameworks include NIST CSF, NIST SP 800-171, NIST 800-53, COBIT, and the ISO 27000 Series. It is also recommended that organizations conduct a technical penetration test to identify vulnerabilities.
4. Determine the Likelihood of Exploitation
The fourth step involves determining the likelihood of the selected threat events resulting in a loss. This is a fairly-involved process, which contains at least three sub-steps to arrive at a solid end result. Appendix G of NIST 800-30 contains all the information needed to complete the step.
5. Determine Probable Impact
This step is focused on determining the most likely impact of a loss event. Again, the steps are fairly involved, but detailed guidance is contained in Appendix H of NIST 800-30.
6. Calculate Risk as Combination of Likelihood and Impact
The last step in a risk assessment is to combine the likelihood and impact values calculated in steps 4 and 5 to arrive at a risk value. NIST 800-30 provides detail on how to use a 9-block matrix to accomplish this in Appendix I.