Cybersecurity and Risk Assessment
Principles of risk assessment
- Take stock of the system. Assess the size, number of hardware- and cloud-based access points, partner organizations and vendors, what information is stored and shared, and sensitivity. For example, a multinational bank is going to prove considerably more attractive to a hacker than a freelance photographer selling prints on a personal website.
- Look at potential threats. According to Sage Data Security, in addition to hacker intrusions and data breaches by disgruntled employees, you should also consider breaches resulting from human error, be it poor data backup, insufficient encryption, or data traveling through unsecure channels.
- Analyze the environment. This step involves examining controls governing administrator access, user authentication and provisioning, infrastructure data protection, continuity of operations, and other factors. The key question is: How vulnerable are these individual controls to the threats an organization is most likely to face?
- Determine the likelihood. Consider the probability of each breach type and its point of origin. Depending on organizational or network complexity, this can involve dozens of breach-source pairings.
- Conduct a final risk assessment. Sage Data Security recommends multiplying the likelihood of a breach by its resultant damage to determine a risk rating. For example, if an organization is likely to experience breach attempts because of the valuable information it’s handling, and the results of such a breach would be catastrophic, the business has an extremely high risk rating.