Skip to main content

Risk-Assessment-Steps

1 Risk Assessment Steps

The core of the security process is to understand what is being protected and from what or whom. It is also important to identify what is not being protected. There are many ways to accomplish this procedure, but it is recommended to use well-known, best practice, risk management standards [ref 39, 40 and 41]123. Risk management techniques can also be found in several common business training publications. An outline of the Risk Assessment process used in this document can be seen in the flow diagram and bullet list below: Figure 3 Outline risk assessment process steps

  • Create a list of security risks to the product
    • Use brainstorming techniques, mind mapping or other Group Creativity techniques.
    • Generate a list covering both business and technical threats:
      • E.g. “Brand Image damage due to adverse publicity”, “cost of product recall”, “product exposes users Wi-Fi credentials”
      • Safety aspects of the product that affect users if the security is compromised
      • The Framework can be used to support the creation of the list of risks by considering the Assurance Class criteria
  • Assess the “probability” of each item on the Risk List happening
  • Assess the “Cost” (impact in terms of the detectability and recovery) of each item on the Risk List – if it happens
  • Multiply the Cost by the Probability, this gives a “Risk Factor”
  • Order list by “Risk Factor”. This could be a percentage or simply Probability x Impact number

This list becomes the “Risk Register” document and may then be used to guide and justify the work needed to address product security. The aim of the work is to reduce the risk “probability” factor to an acceptable level.

Threat DescriptionProbability (0-100%)Impact/Cost to company of threat happening (0-5)Risk Factor
Compromise of Encryption and Key Management5%5(0.05*5) = 0.25
Web User Interface subversion90%4(0.9*4) =3.6
Mobile Application hacked15%2(0.15*2) = 0.3
Leakage of Private personal data15%5(0.15*5) = 0.75

Table 5

This is showing the biggest risk is the web User Interface, so the priority should be on mitigating this to reduce the probability.

Footnotes

  1. Bluetooth Numeric Comparison [ https://csrc.nist.gov/publications/detail/sp/800-121/rev-1/archive/2012-06-11 ]

  2. UK Government Cyber security risk assessment guidance [https://www.ncsc.gov.uk/guidance/risk-management-collection]

  3. NIST Special Publication 800-30 guidance for conducting risk assessments [ https://www.nist.gov/publications/guide-conducting-risk-assessments]