Watch: The Risk Assessment: An Underutilized Cybersecurity Tool

Date March 22, 2023
Article Authors

Highlights of the March 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director

Watch On Demand.

The webinar opens by defining terms associated with risk assessment:

  • Risk – the combination of the probability of an event and its consequence (Risk is not necessarily bad, as taking a risk can produce a positive risk outcome.
  • Asset – something of either tangible or intangible value (e.g., your company’s reputation, or the money in your bank account) that is worth protecting
  • Threat – something that can act against an asset in a manner than can cause harm
  • Vulnerability – a weakness in the design, implementation, operation, or internal control of a process that could expose the system to adverse threats from threat events (One of the weakest links in any business is their employees.)
  • Residual risk – remaining risk after the implementation of a risk response (You can’t protect against all risks.)
  • Inherent risk – the level of risk present without taking into account the actions that were or could be taken for mitigation
  • Why do a risk assessment?

  • To satisfy a regulatory requirement
  • To reduce operational risk: You need to understand what your risks are.
  • To improve safety performance
  • To improve the probably of achieving organizational objectives
  • Steps to take if you decide to do a risk assessment (ISO 27001 steps)

    Establish a framework

  • Conduct assessments at regular intervals.
  • Make sure your process is consistent so you can repeat it.
  • Retain documentation regarding the process.
  • In order to establish baseline security criteria
  • There are two approaches to assessments: asset based – more logical approach and scenario based
  • Build an asset-based register: Compile an asset inventory list (desktops, laptops, printers, etc.) and include each asset’s owner and risk owner.
  • Identify the risks: add threats and vulnerabilities for each inventory item.

    Analyze risk: determine risk appetite and scale and do a calculation, which is: risk equals impact multiplied by likelihood.

    Evaluate risks: the number on the scale that refers to the level of damage that can be done gives you a picture of what needs to be addressed.

    Put controls in place:

  • Security awareness training
  • Vulnerability management
  • Security log monitoring
  • Two biggest steps to stay ahead of hackers: Make sure you train your employees and patch your systems.
  • Apply Risk Management Options

  • Risk reduction: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels. Keep in mind that you will not be able to get to zero risk.
  • Risk avoidance: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels.
  • Risk transfer or sharing of avoidance: contract with a third party to share risk via a contractual agreement, or buy a cybersecurity insurance policy (carriers want risk assessments).
  • Risk acceptance: assume the risk and plan to absorb the loss, if the risk is within tolerance or the cost of the mitigation is more than the potential loss.
  • What action should you take?

  • Develop a risk assessment policy, a game plan that requires an annual assessment.
  • Build your asset register.
  • Determine your threats and vulnerabilities. Consult information that keeps tabs on current threats.
  • Conduct your risk assessment.
  • Risk treatment plan: put controls in place to mitigate your most vulnerable risks as much as possible.
  • Speak to one of our professionals about your organizational needs

    "*" indicates required fields