Watch: The Risk Assessment: An Underutilized Cybersecurity Tool

Date March 22, 2023

Highlights of the March 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director

Watch On Demand.

The webinar opens by defining terms associated with risk assessment:

  • Risk – the combination of the probability of an event and its consequence (Risk is not necessarily bad, as taking a risk can produce a positive risk outcome.
  • Asset – something of either tangible or intangible value (e.g., your company’s reputation, or the money in your bank account) that is worth protecting
  • Threat – something that can act against an asset in a manner than can cause harm
  • Vulnerability – a weakness in the design, implementation, operation, or internal control of a process that could expose the system to adverse threats from threat events (One of the weakest links in any business is their employees.)
  • Residual risk – remaining risk after the implementation of a risk response (You can’t protect against all risks.)
  • Inherent risk – the level of risk present without taking into account the actions that were or could be taken for mitigation
  • Why do a risk assessment?

  • To satisfy a regulatory requirement
  • To reduce operational risk: You need to understand what your risks are.
  • To improve safety performance
  • To improve the probably of achieving organizational objectives
  • Steps to take if you decide to do a risk assessment (ISO 27001 steps)

    Establish a framework

  • Conduct assessments at regular intervals.
  • Make sure your process is consistent so you can repeat it.
  • Retain documentation regarding the process.
  • In order to establish baseline security criteria
  • There are two approaches to assessments: asset based – more logical approach and scenario based
  • Build an asset-based register: Compile an asset inventory list (desktops, laptops, printers, etc.) and include each asset’s owner and risk owner.
  • Identify the risks: add threats and vulnerabilities for each inventory item.

    Analyze risk: determine risk appetite and scale and do a calculation, which is: risk equals impact multiplied by likelihood.

    Evaluate risks: the number on the scale that refers to the level of damage that can be done gives you a picture of what needs to be addressed.

    Put controls in place:

  • Security awareness training
  • Vulnerability management
  • Security log monitoring
  • Two biggest steps to stay ahead of hackers: Make sure you train your employees and patch your systems.
  • Apply Risk Management Options

  • Risk reduction: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels. Keep in mind that you will not be able to get to zero risk.
  • Risk avoidance: implement controls or countermeasures to reduce the likelihood or impact of a risk to acceptable levels.
  • Risk transfer or sharing of avoidance: contract with a third party to share risk via a contractual agreement, or buy a cybersecurity insurance policy (carriers want risk assessments).
  • Risk acceptance: assume the risk and plan to absorb the loss, if the risk is within tolerance or the cost of the mitigation is more than the potential loss.
  • What action should you take?

  • Develop a risk assessment policy, a game plan that requires an annual assessment.
  • Build your asset register.
  • Determine your threats and vulnerabilities. Consult information that keeps tabs on current threats.
  • Conduct your risk assessment.
  • Risk treatment plan: put controls in place to mitigate your most vulnerable risks as much as possible.
  • Speak to one of our professionals about your organizational needs

    "*" indicates required fields needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.