Risk Analysis Get Help With Business Threat Assessment
Further Steps in Risk Analysis
To progress our risk analysis, we must identify who or what poses a threat to our organisation and its objectives, as well as how they might attack or compromise what we value. Authoritative sources, like national authorities, vendors, and historical data, provide valuable threat information.
It’s essential to align our threat analysis with the context. This means determining the specific threat actors we aim to protect our systems and services from, and this in turn is based on our objectives and risk-based decisions. Context is crucial in defining the scope of our analysis.
Vulnerability Assessment
Vulnerabilities exist in people, processes, places, and technology, making them potential targets for threat actors. We can assess vulnerabilities using techniques such as guidance from trusted sources, attack trees, catalogues of known vulnerabilities, and knowledge bases like MITRE ATT&CK. These resources help us understand where vulnerabilities may exist and how threat actors can exploit them.
Estimating Likelihood – Risk Analysis 101
Combining threat and vulnerability analysis, we estimate the likelihood of a threat actor using a specific tactic to exploit a vulnerability and cause an impact. Likelihood can be expressed on a scale of 0 to 1 or as a percentage, indicating the chance of an event occurring. We gather information on similar attacks affecting organisations in our sector to assist our estimation.
Effective communication of risk
When communicating our findings, we can use matrices or visual tools to document and analyze threat and vulnerability ratings alongside likelihood. However, we must be aware of the uncertainty inherent in risk management and avoid providing false certainty. Decision-makers should understand the methods, processes, and information used in the analysis to make informed decisions.
By conducting thorough threat assessments, vulnerability analyses, and likelihood estimations, and effectively communicating the results, we equip ourselves with valuable insights to navigate the complex landscape of cybersecurity risks.
Diana Catton MBA – by-line and other articles
Diana is a guest contributor to CyberAwake whilst Clive is on a Cyber Security and IT Audit.
Further Reading
Here is an article Diana wrote that is a real world example of risk analysis:
