Security Risk Analysis.
security risk analysis is a procedure for estimating the risk to computer related assets and loss because of manifested threats. The procedure first determines an asset's level of vulnerability by identifying and evaluating the effect of in-place countermeasures. An asset's level of vulnerability to the threat population is determined solely by countermeasures [controls/safeguards] that are in-place at the time the risk analysis is done.
A security risk analysis defines the current environment and makes recommended corrective actions if the residual risk is unacceptable. Risk analysis is a vital part of any ongoing security and risk management program. The risk analysis process should be conducted with sufficient regularity to ensure that each agency's approach to risk management is a realistic response to the current risks associated with its information assets. Management must then decide on whether to accept the residual risk or to implement the recommended actions.
Risk Analysis Terminology :
Asset - Anything with value and in need of protection.
Threat - An action or potential action with the propensity to cause damage.
Vulnerability - A condition of weakness. If there were no vulnerabilities, there would be no concern for threat activity.
Countermeasure - Any device or action with the ability to reduce vulnerability.
Expected Loss - The anticipated negative impact to assets due to threat manifestation.
Impact - Losses as a result of threat activity are normally expressed in one or more impact areas.
Security Risk Assessments:
Risk assessment – the process of identifying, analyzing and evaluating risk – is the only way to ensure that the cyber security controls you choose are appropriate to the risks your organization faces.
Without a risk assessment to inform your cyber security choices, you could waste time, effort and resources – there is, after all, little point implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organization.
A cyber security risk assessment identifies the various information assets that could be affected by a cyber-attack (such as hardware, systems, laptops, customer data and intellectual property), and then identifies the various risks that could affect those assets.
A risk estimation and evaluation is usually performed, followed by the selection of controls to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organization, and to maintain an overview of the complete risk management process.
When going through the process it’s important to keep in mind that there are different categories of risk that may affect organization. Here’s what they are:
Strategic risk is related to adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals.
Reputational risk is related to negative public opinion.
Operational risk is related to loss resulting from inadequate or failed internal processes, people, and systems, or from external events.
Transactional risk is related to problems with service or product delivery.
Compliance risk is related to violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or business standards.