Risk assessment is the exercise of determining the qualitative or quantitative value of risk associated with one or more threats against a defined environment. Risk assessment differs from the more familiar IT security assessments by factoring in the likelihood of the realization of risk and its potential impact on the target environment.
By factoring in those two elements (Likelihood and business impact), risk assessment allows organizations to make sound decisions regarding their investments in security controls. It also allows organizations to clearly identify their spending priorities by putting critical high risk areas right under the spotlight.
FIS risk assessment approach is based on the US National Institute of Standards (NIST) Special Publication (SP800-30) and covers a multitude of technical, physical and human threats to give an organization a 360 view of its threat environment and the risks associated with it.
Risk Assessment Process Overview
The process for Risk assessment starts by identifying a list of relevant threats to the organization. Threats are divided into adversarial and accidental threats. For Adversarial threats the likelihood of occurrence is determined by assessing the capability and intent of the threat source. Accidental threats likelihood of occurrence derives mainly from historical data and environment characteristics.
The vulnerability of the environment is then assessed be assessing existing controls, environment characteristics and technical/procedural vulnerabilities in the environment. The level of vulnerability determines the likelihood that a threat event, if it occurs, will succeed or not to cause undesired impacts.
The overall Likelihood of the threat is then derived as a function of the threat likelihood of occurrence and the vulnerability level/likelihood of success.
Impact is then determined based on the expected impact on the organization if the threat is successful. Finally Risk is measured as a function of the Overall Likelihood of the Threat and the Level of adverse impacts it is expected to cause when it occurs.