Skip to main content

2. Key risk concepts

Risk

Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:

  1. The adverse impacts that would arise if the circumstance or event occurs; and
  2. The likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.


(Source: NIST SP 800-30)

Risk Assessment

Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur. (Source: NIST SP 800-30)

Risk Assessment Methodology

A risk assessment methodology typically includes:

  1. A risk assessment process;
  2. An explicit risk model, defining key terms and assessable risk factors and the relationships among the factors;
  3. An assessment approach (e.g., quantitative, qualitative, or semi-qualitative), specifying the range of values those risk factors can assume during the risk assessment and how combinations of risk factors are identified/analyzed so that values of those factors can be functionally combined to evaluate risk; and
  4. An analysis approach (e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented), describing how combinations of risk factors are identified/analyzed to ensure adequate coverage of the problem space at a consistent level of detail.

Risk assessment methodologies are defined by organizations and are a component of the risk management strategy developed during the risk framing step of the risk management process.

The below figure illustrates the fundamental components in organizational risk frames and the relationships among those components:

organisational risk frames.png

Organizations can use a single risk assessment methodology or can employ multiple assessment methodologies, with the selection of a specific methodology depending on, for example:

  1. The time frame for investment planning or for planning policy changes;
  2. The complexity/maturity of organizational mission/business processes (by enterprise architecture segments);
  3. The phase of the information systems in the system development life cycle; or
  4. The criticality/sensitivity of the information and information systems supporting the core organizational missions/business functions.

By making explicit the risk model, the assessment approach, and the analysis approach employed, and requiring as part of the assessment process, a rationale for the assessed values of risk factors, organizations can increase the reproducibility and repeatability of risk assessments.

(Source: NIST SP 800-30)