Building (or Improving) a Risk Assessment Program

Jack Freund
Author: Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, Chief Risk Officer, Kovrr
Date Published: 2 November 2022

Tips of the Trade

A core part of every information security program is a risk assessment function. Most cyber professionals recognize the need for a risk-based approach to security, and the assessment function is the function whereby that approach is operationalized. However, there are essential considerations with which a risk assessment program must be designed to help an enterprise achieve its security posture goals.

First, it is important to consider the foundational elements of a risk program that need to be knitted together. These are, conveniently enough, the same as the elements of the risk equation: threat, vulnerability and assets. Identifying the assets that can result in loss is an important first step in creating a risk assessment program. There is a reason that asset identification is the first and second item on the CIS controls matrix. However, simply assessing asset-level cyberrisk is not enough. The assessed assets need to be analyzed in the context of the rest of the organization. This can be done by organizing the assets by their lines of business, product lines or both. As a result, the stories that will be told about the risk will be contextualized in a way that makes sense when compared to the rest of the organization. This also means that shared assets may appear in multiple categories (which is an important condition for business leaders to understand).

Once alignment has taken place, assets can be connected to risk scenarios that make sense to the leaders of those businesses. For example, certain products may be more susceptible to outages, while others may be more likely to fall victim to a data breach. Creating a series of scenarios that can bring about failure is an important part of scoping risk assessments. There may be specific scenarios that include details about how data loss may affect products or how a business interruption event may cause harm. These can be containerized under broad categories (e.g., confidentiality, integrity, availability). Once the IT assets have been connected to businesses and products and aggregated by risk category, they may be reported to the board. The categories lend themselves well to reporting at the board level, and any assertions can be supported by the detailed asset and scenario alignment that has been performed.

Accounting for threat and vulnerability works well within this structure. Threat groups that may target an organization at the asset level can be aligned and aggregated up into higher-level categories (e.g., nation-state attackers). Vulnerabilities, or more precisely, control weaknesses or missing controls, can be aligned to those assets and grouped and aggregated according to the preferred controls taxonomy. This structure also allows threats and vulnerabilities to inherit risk ratings. For example, rather than having to rate the risk of every control deficiency on its own, the deficiency would inherit whatever rating the asset had received.

This is a brief overview of the process one would follow to operationalize a risk program. However, the basics are explained for those looking to create or improve a program. The encapsulation of assets into business units and products and their aggregation into risk categories is the linchpin of success. Doing so provides the foundation upon which the remainder of the program can operate.

About the author: Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC, is a vice president and head of cyberrisk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.