Assessing risks is vitally important in order to understand where you should focus your attention when considering applying controls. During a risk assessment process, there are four stages that require careful attention:
- Prepare
- Conduct
- Communicate results
- Maintain assessment (continually review)
Cybersecurity Frameworks
To assist with the risk management process there are various internationally recognised frameworks that can be referenced for assistance:
Results from risk assessments should be presented as either quantitative or qualitative information.
Quantitative Risk Assessment
Quantitative risk is represented by a numerical value. For example, when considering the risk of a power surge destroying a server, the total should factor in the cost of replacing the server, working hours to replace it, reputational damage for the loss of service etc. Say £10,000.
To calculate the annual loss expectancy you need to identify the frequency of the risk occurring (say four months) and calculate an annual percentage, then times this by the cost. In our example this would be:
1 / 4 x 100 = 25%
25% x £10000 = £2500 annual loss expectancy.
Qualitative Risk Assessment
Qualitative risk is represented by a description or category. This could for example be a grading one to 10 or low / medium / high or critical / essential / important etc. To conduct a qualitative risk assessment you need to grade both the likelihood and impact of the risk. The resulting risk is a factor of both, but not necessarily an equation.
This risk assessment process enables businesses to properly consider the full breadth and depth of the risk. Through the application of controls (or none at all), risk can either be avoided, accepted, transferred or mitigated.
Assessment overview
Get in touch with our security experts
Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.