Home > Articles

  • Print
  • + Share This
This chapter is from the book

Risk Identification and Management

The first step in the risk-management process is to identify and classify the organization's assets. Information and systems must be assessed to determine their worth. When asset identification and valuation is completed, the organization can start the risk-identification process. Risk identification involves identifying potential risks and threats to the organization's assets. A risk-management team is tasked with identifying these threats. The team then can examine the impact of the identified threats. This process can be based on real dollar amounts or on gut feeling and intuition. When the impact is analyzed, the team can look at alternatives for handling the potential risks. Risks can be:

  • Accepted—The risk is understood and has been evaluated. Management has decieded that the benefits outweigh the risk. As an example, the company might be considering setting up an e-commerce website. Although it is agreed that risks exist, the benefit of the added cash flow make these risks acceptable.
  • Reduced—Installing a firewall is one method in which risk can be reduced.
  • Transferred—The risk is transferred to a third party. As an example, insurance is obtained.
  • Rejected—Depending on the situation, any one of the preceding methods might be an acceptable way to handle risk. Risk rejection is not acceptable, as it means that the risk will be ignored on the hope that it will go away or not occur.

The following sections look more closely at each step of the process.

The Risk-Management Team

The risk-management team is tasked with identifying and analyzing risks. Its members should be assembled from across the company and most likely will include managers, IT employees, auditors, programmers, and security professionals. Having a cross-section of employees from the company ensures that the team can address the many threats it must examine.

This team is not created in a void; it requires developing a risk-management program with a purpose. As an example, the program might be developed to look at ways to decrease insurance costs, reduce attacks against the company's website, or even verify compliance with privacy laws. After establishing the purpose of the team, the team can be assigned responsibility for developing and implementing a risk-management program. This is a huge responsibility because it requires not only identifying risks, but also implementing the team's recommendations.

Asset Identification

Asset identification is the task of identifying all the organization's assets. These can be both tangible and intangible. The assets commonly examined include:

  • Hardware
  • Software
  • Employees
  • Services
  • Reputation
  • Documentation

When looking at an asset, the team must first think about the replacement cost of the item before assigning its value. Actually, the value should be considered more than just the cost to create or purchase. These considerations are key:

  • What did the asset cost to acquire or create?
  • What is the liability if the asset is compromised?
  • What is the production cost if the asset is made unavailable?
  • What is the value of the asset to competitors and foreign governments?
  • How critical is the asset, and how would its loss affect the company?

Threat Identification

The risk-management team can gather input from a range of sources to help identify threats. These individuals or sources should be consulted or considered to help identify current and emerging threats:

  • Business owners and senior managers
  • Legal counsel
  • HR representatives
  • IS auditors
  • Network administrators
  • Security administrators
  • Operations
  • Facility records
  • Government records and watchdog groups, such as CERT and Bugtraq

A threat is any circumstance or event that has the potential to negatively impact an asset by means of unauthorized access, destruction, disclosure, or modification. Identifying all potential threats is a huge responsibility. A somewhat easier approach is to categorize the common types of threats:

  • Physical threat/theft
  • Human error
  • Application error/buffer overflow
  • Equipment malfunction
  • Environmental hazards
  • Malicious software/covert channels

A threat coupled with a vulnerability can lead to a loss. Vulnerabilities are flaws or weaknesses in security systems, software, or procedures. An example of a vulnerability is human error. This vulnerability might lead an improperly trained help-desk employee to unknowingly give a password to a potential hacker, resulting in a loss. Examples of losses or impacts include the following:

  • Financial loss
  • Loss of reputation
  • Danger or injury to staff, clients, or customers
  • Loss of business opportunity
  • Breach of confidence or violation of law

Losses can be immediate or delayed. A delayed loss is not immediate; it has a negative effect on the organization after some period of time—in a few days, months, or years. As an example, an organization could have its website hacked and thus suffer an immediate loss. No e-commerce transactions would occur, technical support would have to be brought in to rebuild the web server, and normal processing would halt. All these are immediate losses. Later, when the local news channel reports that the company was hacked and that personal information was lost, the company would lose the goodwill of its customers. Some might remember this event for years to come and choose to use a competitor. This is a delayed loss.

Thus far, we have discussed building a risk-management team that has the support of senior management, identifying tangible and nontangible assets, and performing threat identification. Next, we analyze the potential risks that these threats pose.

Risk-Analysis Methods

After identifying the threats, the team can start to focus on the risk-analysis process. Risk analysis can be performed in one of two basic methods:

  • Quantitative risk assessment—Deals with dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis.
  • Qualitative risk assessment—Ranks threats by nondollar values and is based more on scenario, intuition, and experience.

Quantitative Risk Assessment

Performing a quantitative risk assessment involves quantifying all elements of the process, including asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty, and probability. This involves six basic steps, illustrated in Figure 2.5:

  1. Determine the asset value (AV) for each information asset.
  2. Identify threats to the asset.
  3. Determine the exposure factor (EF) for each information asset in relation to each threat.
  4. Calculate the single loss expectancy (SLE).
  5. Calculate the annualized rate of occurrence (ARO).
  6. Calculate the annualized loss expectancy (ALE).
Figure 2.5

Figure 2.5 The risk-assessment process.

The advantage of a quantitative risk assessment is that it assigns dollar values, which is easy for management to work with and understand. However, a disadvantage of a quantitative risk assessment is that it is also based on dollar amounts. Consider that it's difficult, if not impossible, to assign dollar values to all elements. Therefore, some qualitative measures must be applied to quantitative elements. Even then, this is a huge responsibility; therefore, a quantitative assessment is usually performed with the help of automated software tools. Assuming that asset values have been determined as previously discussed and threats have been identified, the next steps in the process are as follows:

Much of the process of quantitative risk assessment is built upon determining the exposure factor and the annualized loss expectancy. These rely heavily on probability and expectancy. When looking at events, such as storms or other natural phenomena, it can be difficult to predict their actual behavior. Yet over time, a trend can be established. These events can be considered stochastic. A stochastic event is based on random behavior because the occurrence of individual events cannot be predicted, yet measuring the distribution of all observations usually follows a predictable pattern. In the end, however, quantitative risk management faces challenges when estimating risk, and as such must rely on some elements of the qualitative approach.

Another item that is sometimes overlooked in quantitative risk assessment is the total cost of a loss. The team should review these items for such costs:

  • Lost productivity
  • Cost of repair
  • Value of the damaged equipment or lost data
  • Cost to replace the equipment or reload the data

When these costs are accumulated and specific threats are determined, the true picture of annualized loss expectancy can be assessed. Now the team can build a complete picture of the organization's risks. Table 2.2 shows sample results.

Table 2.2. Sample Assessment Results



Asset Value



Annualized Frequency


Customer database

Loss of consumer data due to no backup






E-commerce website







Domain controller

Power supply failure






Although automated tools are available to minimize the effort of the manual process, these programs should not become a crutch to prevent businesses from using common sense or practicing due diligence. Care should also be taken when examining high-impact events, even for the probability. Many of us witnessed the 100-year storm that would supposedly never occur in our lifetime and that hit the Gulf Coast and severely damaged the city of New Orleans. Organizations must be realistic when examining such potential events and must openly discuss how the situation should be dealt with. Just because an event is rated as a one-in-a-hundred-year probability does not mean that it can't happen again next year.

Qualitative Risk Assessment

Maybe you're thinking that there has to be another way to perform the assessment. If so, you're right. Qualitative assessment is scenario driven and does not attempt to assign dollar values to components of the risk analysis. A qualitative assessment ranks the seriousness of threats and sensitivity of assets by grade or class, such as low, medium, or high. You can see an example of this in NIST 800-26, a document that uses confidentiality, integrity, and availability as categories for a loss. It then rates each loss according to a scale of low, medium, or high. Table 2.3 displays an example of how this process is performed. A rating of low, medium, or high is subjective. In this example, the following categories are defined:

  • Low—Minor inconvenience; can be tolerated for a short period of time but will not result in financial loss.
  • Medium—Can result in damage to the organization, cost a moderate amount of money to repair, and result in negative publicity.
  • High—Will result in a loss of goodwill between the company, client, or employee; may result in a large legal action or fine, or cause the company to significantly lose revenue or earnings.

Table 2.3. Performing a Qualitative Assessment


Loss of Confidentiality

Loss of Integrity

Loss of Availability

Customer credit card and billing information




Production documentation




Advertising and marketing literature




HR (employee) records




The downside of performing a qualitative assessment is that you are not working with dollar values; therefore, this lacks the rigor that accounting teams and management typically prefer.

Other types of qualitative assessment techniques include these:

  • The Delphi Technique—A group assessment process that allows individuals to contribute anonymous opinions.
  • Facilitated Risk Assessment Process (FRAP)—A subjective process that obtains results by asking a series of questions. It places risks into one of 26 categories. FRAP is designed to be completed in a matter of hours, making it a quick process to perform.
  • + Share This
  • 🔖 Save To Your Account