Watch: The Risk Assessment: An Underutilized Cybersecurity Tool

Highlights of the March 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director

Watch On Demand.

The webinar opens by defining terms associated with risk assessment:

  • Risk – the combination of the probability of an event and its consequence (Risk is not necessarily bad, as taking a risk can produce a positive risk outcome.
  • Asset – something of either tangible or intangible value (e.g., your company’s reputation, or the money in your bank account) that is worth protecting
  • Threat – something that can act against an asset in a manner than can cause harm
  • Vulnerability – a weakness in the design, implementation, operation, or internal control of a process that could expose the system to adverse threats from threat events (One of the weakest links in any business is their employees.)
  • Residual risk – remaining risk after the implementation of a risk response (You can’t protect against all risks.)
  • Inherent risk – the level of risk present without taking into account the actions that were or could be taken for mitigation
  • Why do a risk assessment?

  • To satisfy a regulatory requirement
  • To reduce operational risk: You need to understand what your risks are.
  • To improve safety performance
  • To improve the probably of achieving organizational objectives
  • Steps to take if you decide to do a risk assessment (ISO 27001 steps)

    Establish a framework

  • Conduct assessments at regular intervals.
  • Make sure your process is consistent so you can repeat it.
  • Retain documentation regarding the process.
  • In order to establish baseline security criteria
  • There are two approaches to assessments: asset based – more logical approach and scenario based
  • Build an asset-based register: Compile an asset inventory list (desktops, laptops, printers, etc.) and include each asset’s owner and risk owner.
  • Identify the risks: add threats and vulnerabilities for each inventory item.

    Analyze risk: determine risk appetite and scale and do a calculation, which is: risk equals impact multiplied by likelihood.

    Evaluate risks: the number on the scale that refers to the level of damage that can be done gives you a picture of what needs to be addressed.

    Put controls in place:

  • Security awareness training
  • Vulnerability management
  • Security log monitoring
  • Two biggest steps to stay ahead of hackers: Make sure you train your employees and patch your systems.
  • Apply Risk Management Options

  • Risk reduction: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels. Keep in mind that you will not be able to get to zero risk.
  • Risk avoidance: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels.
  • Risk transfer or sharing of avoidance: contract with a third party to share risk via a contractual agreement, or buy a cybersecurity insurance policy (carriers want risk assessments).
  • Risk acceptance: assume the risk and plan to absorb the loss, if the risk is within tolerance or the cost of the mitigation is more than the potential loss.
  • What action should you take?

  • Develop a risk assessment policy, a game plan that requires an annual assessment.
  • Build your asset register.
  • Determine your threats and vulnerabilities. Consult information that keeps tabs on current threats.
  • Conduct your risk assessment.
  • Risk treatment plan: put controls in place to mitigate your most vulnerable risks as much as possible.
  • About the Author(s)
    Bill Heaven is a senior director in HBK’s IT Department. He specializes in cybersecurity, IT security, external IT audit, internal IT audit, IT consulting, software development, IT governance, PCI-DSS, supply chain, system implementations, and e-commerce. You can reach Bill at 330.758.8613, or by email at
    Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.