Skip to main content
Version: 4.0

Risk-Assessment-Steps

1 Risk Assessment Steps

The core of the security process is to understand what is being protected and from what or whom. It is also important to identify what is not being protected. There are many ways to accomplish this procedure, but it is recommended to use well-known, best practice, risk management standards [GOV.UK.RISKMAN]1 [NIST.SP.800-30]2 [ENISA.RMF]3. Risk management techniques can also be found in several common business training publications. An outline of the Risk Assessment process used in this document can be seen in the flow diagram and bullet list below:

Figure 3 Outline risk assessment process steps

  • Create a list of valuable assets contained or associated with the product

  • Create a list of security risks to the product

    • Use brainstorming techniques, mind mapping or other Group Creativity techniques.

    • Generate a list covering both business and technical threats to the assets:

      • E.g. “Brand Image damage due to adverse publicity”, “cost of product recall”, “product exposes users Wi-Fi credentials”

      • Safety aspects of the product that affect users if the security is compromised

      • The Framework can be used to support the creation of the list of risks by considering the Assurance Class criteria

  • Assess the “probability” of each item on the Risk List happening

  • Assess the “Cost” (impact in terms of the detectability and recovery) of each item on the Risk List – if it happens

  • Multiply the Cost by the Probability, this gives a “Risk Factor”

  • Order list by “Risk Factor”. This could be a percentage or simply Probability x Impact number

This list becomes the “Risk Register” document and may then be used to guide and justify the work needed to mitigate the risks to product security. Each time a mitigation task is completed, the probability of the risk happening should be reduced so the risk register can be updated and reordered. The aim of the work is to reduce the risk “probability” factor to an acceptable level.

Example of simplified Risk Register

Threat

Description

Probability

(0-100%)

Impact/Cost to company of threat happening

(0-5)

Risk Factor
Compromise of Encryption and Key Management5%5(0.05*5) = 0.25
Web User Interface subversion90%4(0.9*4) =3.6
Mobile Application hacked15%2(0.15*2) = 0.3
Leakage of Private personal data15%5(0.15*5) = 0.75

Table 5

This is showing the biggest risk is the web User Interface, so the priority should be on mitigating this to reduce the probability.

Footnotes

  1. NCSC Guidance "Risk management". https://www.ncsc.gov.uk/collection/risk-management.

  2. NIST Special Publication 800-30 "Guide for Conducting Risk Assessments", September 2012. https://www.nist.gov/publications/guide-conducting-risk-assessments.

  3. ENISA "Interoperable EU Risk Management Framework", January 2023. https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework.