How to Do a Security Risk Assessment
A security risk assessment answers a question every organization eventually has to face: what could go wrong, how bad would it be, and what should we do about it first. Done well, it turns a vague sense of unease into a ranked list of risks and a plan for each one. Done badly, it becomes a spreadsheet nobody reads.
A security risk assessment answers a question every organization eventually has to face: what could go wrong, how bad would it be, and what should we do about it first. Done well, it turns a vague sense of unease into a ranked list of risks and a plan for each one. Done badly, it becomes a spreadsheet nobody reads.
The process is more methodical than mysterious. You work from what you have, to what could harm it, to how much it would cost, to what you will do.
The process, step by step
Each step builds on the last. You cannot judge a threat without knowing the asset it targets, and you cannot prioritize without scoring likelihood and impact. The order is the method.
Deciding what to do about each risk
| Treatment option | What it means |
|---|---|
| Avoid | Eliminate the risk by stopping the activity or system that creates it. The only response that reduces risk to zero, and rarely feasible. |
| Mitigate | Apply controls to reduce the likelihood or impact to a tolerable level. The most common, proactive response. |
| Transfer | Shift the financial burden to another party, most often through cyber liability insurance. |
| Accept | Acknowledge the risk and do nothing, the right call when the cost of a control exceeds the potential loss. |
Identifying risk is only half the job. The point of the assessment is the decision at the end: for each risk, you choose one of four responses, and you document why.
[[INSIGHT: Accepting a risk is not the same as ignoring it. The difference is a decision on the record. An accepted risk has an owner, a reason, and a number behind it. An ignored risk just waits.]]
- A risk assessment moves from assets, to threats, to vulnerabilities, to likelihood and impact.
- Risk combines threat, vulnerability, and impact, then gets ranked highest to lowest.
- Every risk gets one of four treatments: avoid, mitigate, transfer, or accept.
- Accept a risk when the cost of the control exceeds the potential loss.
- The deliverable is a ranked list with an owner and a decision for each risk.
Frequently asked questions
What are the steps of a security risk assessment?
Identify assets, identify threats, identify vulnerabilities, assess likelihood and impact, calculate and rank the risk, then decide how to treat each one with appropriate controls.
How is risk calculated?
Conceptually, risk is the combination of threat, vulnerability, and impact, often expressed as Risk = Threat x Vulnerability x Impact. In practice you score likelihood and impact and combine them into a risk level.
What are the four ways to treat a risk?
Avoid it by stopping the activity, mitigate it with controls, transfer it through insurance, or accept it when the cost of treatment exceeds the potential loss.
When should you accept a risk?
When the cost of mitigating it is higher than the loss the risk represents. Acceptance is a legitimate, documented business decision, not a failure to act.
