Managing risk is something every organization has to do — but there are a variety of risk evaluation approaches, each with its own applications and benefits. 

What’s the most effective way for your organization to identify and reduce information security risk? How will you estimate likelihood and impact? What is your company’s acceptable level of risk? 

This article will help you answer all of these questions and choose a risk management methodology that protects your organization.

6 common types of risk assessment methodologies

There are several popular approaches to risk assessments for organizations to choose from. Understanding these approaches can help you decide which is the best fit for your needs. 

Qualitative risk assessment

In general, there are two approaches to risk assessment: qualitative and quantitative. 

With a qualitative approach, you’ll go through different scenarios and answer “what if” questions to identify risks. A risk matrix is commonly used to assign each risk a likelihood and impact (i.e., ‘high,’ ‘medium,’ and ‘low’) score, allowing for easy prioritization. Risks that are both high probability and high impact are the highest priorities, and risks that are both low probability and low impact are the lowest priorities.

Quantitative risk assessment

A quantitative risk assessment approach uses data and numbers to define risk level. Quantitative risk analysis uses data to measure the probability and impact of individual risks. For example, potential cost or time delays can be predicted through Monte Carlo simulations. While this approach might be more precise, it also relies on accurate and complete data. 

To illustrate the difference with an example, say your business is located in North Dakota. A qualitative risk assessment would say an earthquake is a low probability and low impact, so there’s little need to invest in seismic server racks. A quantitative risk assessment would use geologic data to conclude that there is a 2% chance of an earthquake over the next 10 years with estimated financial losses of $5k. 

Using the Risk = Likelihood x Impact formula, you can then calculate an estimated risk exposure of approximately $100. Since the required seismic server racks are estimated at $15k, the risk falls within your accepted range.

Semi-quantitative risk assessment

A semi-quantitative risk assessment combines these two approaches. It assigns one parameter quantitatively and the other qualitatively.

To continue the earthquake example, a semi-quantitative approach would quantify the likelihood with precise data, such as the geological probability of an earthquake occurring. It would then assign a numerical impact score, say an 8 on a scale of 1-10. According to a semi-quantitative risk assessment, an earthquake would be high impact but very low probability.

Because the insights provided by semi-quantitative risk assessments are limited, they are most often used when the data needed to conduct a fully quantitative risk assessment is either incomplete or unreliable.   

Asset-based risk assessment

Asset-based risk assessments focus exclusively on risks posed to an organization’s assets. These can include physical assets such as equipment and buildings, as well as company data and intellectual property. 

For this type of risk assessment, organizations first create an asset register. Next, asset owners help identify risks, which are then prioritized based on likelihood and impact. Asset-based risk assessments are typically used when pursuing ISO 27001 certification.

Vulnerability-based risk assessment

This approach helps organizations pinpoint their highest-priority risks. Risk-based vulnerability management solutions typically use vulnerability scanning tools/services, artificial intelligence, and machine learning to identify risks that are both most likely to be exploited and have the highest potential negative impact on the business. These insights help cybersecurity teams focus on the most significant and urgent risks facing their organizations. 

Threat-based risk assessment

While an asset-based risk management approach focuses on an organization’s most important assets, a threat-based approach examines the conditions that create and contribute to increased risk. What techniques are threat actors using, and how can you best safeguard against them? 

As an example, an asset-based approach may identify the risks of weak password practices across an organization. The result may be implementing a password policy that requires the use of strong passwords or multi-factor authentication. 

A threat-based approach would instead focus on social engineering practices and the likelihood of threat actors to target employees and convince them to share passwords or other sensitive information that can be exploited. The result of this assessment may be more frequent employee training around phishing attacks and safe password practices. 

Risk management methodologies for information security

Because risk assessments are so important for businesses in the digital age, many organizations have created defined risk management frameworks for information security. This list includes some of the most popular and respected: 

NIST RMF

Created by the National Institute of Standards and Technology, the NIST Risk Management Framework (RMF) offers a 7-step process for integrating information security and risk management activities into the system development lifecycle:

• Step 1: Prepare to manage security and privacy risks
• Step 2: Categorize information processed, stored, and transmitted based on  impact
• Step 3: Select NIST SP 800-53 controls to safeguard the system
• Step 4: Implement and document controls 
• Step 5: Assess control performance
• Step 6: Senior leadership evaluates risk to authorize the system to operate
• Step 7: Continue to monitor controls and risks to the system

ISO 27005:2018

Developed by the International Organization for Standardization (ISO) to support ISO/IEC 27001, ISO/IEC 27005:2018 offers guidelines for managing information security risk. The document supports organizations in identifying, analyzing, evaluating, treating, and monitoring specific information security risks.

OCTAVE

OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation. It defines a comprehensive method for identifying, evaluating, and managing information security risks. OCTAVE involves three phases:

• Phase 1: Build Asset-Based Threat Profiles
• Phase 2: Identify Infrastructure Vulnerabilities
• Phase 3: Develop a Security Strategy

NIST SP 800-30 Revision 1

Also developed by the National Institute of Standards and Technology, 800-30 Revision 1 is a guide for conducting risk assessments. This document is one entry is a series of risk management and infosec guidelines developed by a joint task force with the Department of Defense, Intelligence Community, and Committee on National Security Systems. It expands on the guidance outlined in Special Publication 800-30 to include in-depth information on risk factors such as threat sources and events, vulnerabilities, impact, and likelihood of threat occurrence. 

Whichever risk management approach or methodology you choose, company management should be closely involved in the decision-making process. They’ll be instrumental in determining your organization’s baseline security criteria and level of acceptable risk. 

And by establishing your risk management methodology at the company level, every department will be able to follow the same cohesive process.

A 6-step risk assessment process

Conducting regular risk assessments is a critical step in keeping your organization safe from a breach and maintaining compliance with many security frameworks. Below we outline the risk management process in six basic steps.

Step 1: Determine your organization’s acceptable level of risk

Risk is an inevitability for all businesses. But with greater awareness and understanding of those risks, companies can identify ways to either resolve, reduce, or work around them to achieve their goals. Sometimes risk can even be turned into opportunity — so it’s important to have a risk management approach that balances risk awareness and strategic risk-taking. 

Low risk can lead to stagnation and a lack of innovation. High risk can result in unnecessary losses in both time and money. Effective risk management finds a balance that allows organizations to achieve their goals while minimizing potential losses.

Defining an organization’s risk appetite typically involves a few key steps: 

1. Define your company’s strategic objectives. What is your organization working to achieve? How much risk are you willing and able to accept in order to achieve those goals?
2. For each of the primary targets you’ve identified, decide the acceptable level of risk. 
   undefinedundefinedundefinedundefinedundefined
3. Communicate your risk appetite to company stakeholders. Leadership and management teams should work together to discuss risk appetite, mitigation, share feedback, and determine how it will impact day-to-day operations. Writing a risk appetite statement can clarify your strategy for leadership, employees, and other key stakeholders, and allows for more informed risk decisions throughout the company.  

Risk tolerance and risk appetite are commonly used interchangeably, but they are not the same thing.

Risk appetite is how much risk your business is willing to accept before treating it. Risk appetite varies widely based on factors like your company’s industry, financial situation, competitive landscape, and company culture. What’s the cost-benefit analysis of each risk? If you have more resources, you may be open to accepting greater risk in order to fuel a faster pace of innovation, for example. 

Risk tolerance is how much residual risk you’re willing to accept after treatment. Say you identify a risk that has a 40% probability of occurring, which falls outside your risk appetite. After treating the risk, you bring the probability of it occurring down to 10%. Is 10% residual risk acceptable for your business? 

Step 2: Select a risk assessment methodology

Ask yourself the following questions: 

• What are you hoping to gain from the assessment? A quantitative risk assessment can provide data-driven insights, while a qualitative assessment often offers greater efficiency. 
• What’s the scope of the assessment? Decide if the risk assessment will be conducted across your entire organization or focus on a single department or team. 
• What compliance or regulatory requirements do you need to comply with? Some information security standards such as ISO 27001, SOC 2, PCI, and HIPAA may have specific risk assessment procedures you’ll need to follow to satisfy requirements. 
• What cost or time constraints do you need to work around? An accelerated timeline may require a qualitative assessment over a quantitative one. Organizations that lack the internal expertise to complete a risk assessment may need to hire a third party. 

Step 3: Risk identification

Security risks are ever-changing, with new threats popping up seemingly every day. The only way to address risks is to first identify they're there.

Start with a list of information assets and then identify risks and vulnerabilities that could impact data confidentiality, integrity, and availability for each one. You’ll need to consider your hardware (including mobile devices), software, information databases, and intellectual property. 

• Vulnerabilities are flaws in the state of your environment that could be exploited.
• Threats are the potential for someone or something to take advantage of a vulnerability. 
• Risks are a measure of the likelihood that a given threat will take advantage of a given vulnerability and the impact it will have on the cardholder data environment.

For example, let’s consider a software system that hasn’t been updated with a new version meant to patch a cybersecurity vulnerability. That vulnerability is outdated software, the threat is that a hacker could infiltrate the system, and the cyber security risk is not ensuring software is up-to-date. 

Consider these categories of threats and vulnerabilities:

• Digital: Not updating software with security patches
• Physical: Improper disposal of data
• Internal: Employees
• External: Hackers
• Environmental: Natural disaster

Step 4: Risk analysis

Once you’ve identified risks, determine the potential likelihood of each one occurring and its business impact. Remember that impact isn’t always monetary — it could be an impact on your brand’s reputation and customer relationships, a legal or contractual issue, or a threat to your compliance. 

• Risk likelihood: Consider how likely it is for a threat to take advantage of a given risk. For example, if you experienced a data breach in the last year, your likelihood of another occurring would be high unless you remediated the vulnerability that caused the breach. 
• Risk potential: Consider the damage a risk could pose to your organization. For example, improperly configured firewalls would have a high probability for unnecessary traffic to enter or exit information systems.

Assign each risk a likelihood and impact score. On a scale from 1-10, how probable is it that the incident will occur? How significant would its impact be? These scores will help you prioritize risks in the next step. 

Step 5: Risk treatment

No business has unlimited resources. You’ll need to decide which risks you should spend time, money, and effort to address and which fall within your acceptable level of risk. 

Now that you’ve analyzed the potential impact of each risk, you can use those scores to prioritize your risk management efforts. A risk matrix can be a helpful tool in visualizing these priorities (find a free risk register + risk matrix template here). 

A risk treatment plan records how your organization has decided to respond to the threats you identified in your security risk assessment. 

Most risk assessment methodologies outline four possible ways to treat risk: 

• Treat the risk with security controls that reduce the likelihood it will occur 
• Avoid the risk by preventing the circumstances where it could occur 
• Transfer the risk with a third party (i.e., outsource security efforts to another company, purchase insurance, etc.) 
• Accept the risk because the cost of addressing it is greater than the potential damage 

Step 6: Risk control and mitigation

Now it’s time to create an action plan and decide your risk mitigation options. Risk controls can include operational processes, policies, and/or technologies designed to reduce the likelihood and/or impact of a risk. 

For example, the risk of accidental data loss can be mitigated by conducting regular information systems backups that are stored in different locations. 

Each of your identified risks should have an assigned owner who’s responsible for overseeing any risk mitigation tasks, from assigning implementation deadlines to monitoring control effectiveness.

Fortify your organization against threats with Secureframe

However you choose to monitor and manage risk, it’s an ongoing process. An all-in-one GRC solution like Secureframe can help you evaluate security safeguards and identify weaknesses to provide a clear picture of your risk profile and security posture.

Secureframe makes it easy to build and maintain robust risk management processes: 

• Monitor risks 24/7: Continuous monitoring across your tech stack provides complete visibility into critical security and privacy issues. Track and update risk likelihood and impact as well as risk treatment plans. 
• Track risks in a single platform: Maintain an up-to-date risk register as you introduce new products and services, your tech environment changes, or to incorporate findings from internal or external audits. 
• Assign risk owners: Notification reminders to review and update risks on a regular basis ensure accountability. 

Learn more about how Secureframe can help you build a strong, scalable security posture by scheduling a demo today.