What is a Security Risk Assessment?
A security risk assessment is often either a one-time or ongoing process used to measure an organization's security posture. Risk assessments are meant to discover, correct, and prevent security problems, often by taking a risk-based approach to identify the threats that need to be addressed.
The most common purpose for the performance of a risk assessment is to understand the current cyber security state and any associated security issues at a given point of time within the environment.
Risk assessments and their related documentation are also often required for compliance with multiple security standards.
Other common driving forces for risk assessments include establishing a remediation budget or supporting stakeholder due diligence. Business partners and suppliers can also request an assessment from their potential partners.
The method and detail of performing a risk assessment — either quantitative or qualitative — often depends on the purpose and objective of the assessment.
Quantitative vs. Qualitative Security Risk Assessments
Qualitative Risk Assessment
Qualitative risk assessment methods focus on pre-defined and subjectively assigned ratings during the risk assessment process.
These assessments are often focused on the assessing parties' own perceptions of the probability of a risk occurring and the impact that a breach would have on the organization, such as financially, reputationally, etc.
Risks in this type of assessment are typically ranked as high, medium, or low by an assessor based on their experience or knowledge on the process or asset being assessed.
Since there's no math involved with a qualitative assessment, they're often quicker to perform but may also be incredibly biased in terms of both probability and impact definition.
If an assessor is not familiar with a given process or timeframe within an organization, this may lead them to think that risks are more likely to occur, which may lead to inaccuracies.
Quantitative Risk Assessment
Quantitative risk assessments also look to understand the detrimental effects of an incident but focus on using more math-driven and less subjective approaches to risk calculation.
These assessments are based on factual and measurable data to calculate probability and impact values. Since quantitative assessments rely on numerical or quantified data based on current risks, they often take longer to complete since it takes time to collect all the necessary input data.
Historical data for certain risks or patterns that are being considered may also be difficult to collect because each organization has vastly different circumstances, even if they're in the same industry or are similarly sized.
Quantitative risk assessments generally yield more accurate risk information as a tradeoff for the effort that it takes to perform them.
Additionally, organizations and institutes are actively researching ways to speed up quantitative assessments.
Outsourced Risk Assessment Templates
It's common to outsource risk assessments or use templates when performing these assessments for business partners or suppliers.
These templates usually involve a set of questions about how the supplier performs common security activities and may be tailored to a specific industry.
The questions on risk assessment templates are often developed by the organization conducting or requesting the assessment, which are then given to the supplier or business partner for them to complete.
The different risks are measured and assigned based on the partner's responses, and then the assessing organization decides on the business relationship and whether the relationship is appropriate for the identified level of risk.