The information security risk assessment
This section details the core analytical process at the heart of cybersecurity risk management: the information security risk assessment
Learning objectives
Define information security risk in the context of confidentiality, integrity, and availability (CIA triad) and business impact
Describe the fundamental purpose and business value of conducting a risk assessment within a GRC program
Describe how methods from NIST SP 800-115 (testing, examination, interviewing) can be used to collect technical evidence for risk assessment phases
Outline the key steps in a standardized risk assessment process, from scoping and asset identification to risk evaluation and treatment planning
Distinguish between qualitative and quantitative risk assessment methodologies and identify scenarios for their use
Identify common threat sources, threat events, vulnerabilities, and likelihood/impact criteria used in risk analysis
Explain the four primary risk treatment options: mitigate, accept, avoid, and transfer
Map the risk assessment process to established frameworks, including NIST SP 800-30 and ISO/IEC 27005
Articulate how the risk assessment directly informs control selection (e.g., from NIST SP 800-53) and prioritizes compliance efforts
Describe the role of the risk register as the central artifact for tracking and managing risks through their lifecycle
This section describes the information security risk assessment. It moves from the strategic principles of governance into the practical, systematic identification, analysis, and evaluation of risks to an organization's information assets. The risk assessment provides the essential evidence-based foundation for making informed decisions about where to allocate security resources and how to prioritize treatment actions.
Topics covered in this section
Risk assessment as the foundation of risk management
Key concepts: Assets, threats, vulnerabilities, likelihood, and impact
The role of security testing in informing risk assessment (NIST SP 800-115)
The risk assessment process: A step-by-step model
Methodologies: Qualitative vs quantitative approaches
Analyzing and evaluating risk: Matrices and scoring
Risk treatment: Determining the path forward
The risk register: Documenting and managing risks
Integrating risk assessment with frameworks and the GRC lifecycle
Risk assessment as the foundation of risk management
An information security risk assessment is a systematic process of identifying, analyzing, and evaluating risks to an organization's information assets. It answers the critical questions: "What do we have that is valuable?" "What could go wrong?" "How bad would it be if it did?" and "What should we do about it?" An information security risk assessment prioritizes cyber risk into a list of actionable items that can be managed within the strategic context set by governance and the risk appetite.
The risk assessment is not a one-time project but a recurring analytical activity within the continuous risk management cycle. It provides the evidentiary basis for nearly all subsequent GRC activities: it guides the selection of security controls (informing the NIST RMF SELECT step), highlights gaps for compliance remediation, justifies security investments to leadership, and measures changes in risk posture over time. In essence, it is the "Assess" phase of the GRC lifecycle (Plan, Assess, Implement, Monitor, and Review).
Key concepts: Assets, threats, vulnerabilities, likelihood, and impact
The risk assessment process is built upon a standardized lexicon, central to frameworks like NIST SP 800-30 (Guide for Conducting Risk Assessments).
Asset: Anything of value that requires protection. This includes data (e.g., customer PII, intellectual property), systems (e.g., ERP servers, domain controllers), hardware, software, and reputation.
Threat: Any circumstance or event with the potential to adversely impact organizational operations, assets, or individuals through unauthorized access, destruction, disclosure, or modification of information, or denial of service. Threat sources can be adversarial (hackers, insiders), accidental (user error), structural (hardware failure), or environmental (natural disaster).
Vulnerability: A weakness in an information system, security procedure, internal control, or implementation that could be exploited by a threat source. Examples include an unpatched software flaw, a misconfigured firewall rule, or a lack of employee security awareness.
Likelihood: The probability that a given threat source will exploit a specific vulnerability. It is often rated on scales like Low/Medium/High, considering factors such as threat capability, intent, and the effectiveness of existing controls.
Impact: The magnitude of harm that would result from the exploitation of a vulnerability. Impact is measured in terms of compromise to the CIA triad and, crucially, translated into business consequences such as financial loss, operational disruption, legal liability, or reputational damage.
Risk is fundamentally a function of these elements: Risk = Likelihood x Impact. A high-likelihood, low-impact event may be a minor issue, while a low-likelihood, catastrophic-impact event (a "black swan") requires careful consideration.
The role of security testing in informing risk assessment (NIST SP 800-115)
Risk assessment data is gathered through systematic information security testing and assessment, a discipline formally detailed in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment. While NIST SP 800-30 defines the risk management process, SP 800-115 provides the practical methodologies for executing the technical activities that feed vital evidence into that process. Security testing transforms abstract "potential weaknesses" into validated, prioritized findings, forming the evidentiary backbone of a credible risk analysis.
Security Testing as the Engine of Evidence Gathering
NIST SP 800-115 structures assessment activities into three core techniques, each serving a distinct purpose in illuminating risk:
Testing: The process of exercising one or more assessment objects under specified conditions to compare actual with expected behavior. This is the most hands-on, technical source of vulnerability data.
Examples: Vulnerability scanning, penetration testing, social engineering (phishing campaigns), web application security testing, password cracking, network discovery scanning.
GRC/Risk Link: Provides direct evidence of vulnerabilities (e.g., CVE-2023-XXXXX is present and exploitable) and tests the effectiveness of implemented controls (e.g., does the Intrusion Prevention System actually block the attack?).
Examination: The process of checking, inspecting, reviewing, observing, or studying one or more assessment objects to facilitate understanding, achieve clarification, or obtain evidence. This technique validates the existence and configuration of controls.
Examples: Reviewing firewall rule sets, analyzing system configurations against STIG/CIS benchmarks, auditing access control lists, studying architecture diagrams, reviewing policy documents.
GRC/Risk Link: Provides evidence for asset identification and control analysis. It answers whether controls are present and designed correctly.
Interviewing: The process of conducting discussions with individuals or groups within an organization to facilitate understanding, achieve clarification, or identify evidence. This technique gathers contextual and procedural knowledge.
Examples: Interviewing system administrators about patch management procedures, discussing incident response playbooks with the SOC team, questioning developers about secure coding practices.
GRC/Risk Link: Informs the understanding of threat sources (e.g., insider risks), likelihood (e.g., how often procedures are followed), and operational impact.
Mapping Testing Activities to the Risk Assessment Process
The outputs of SP 800-115 activities directly populate specific phases of the SP 800-30 risk assessment model:
Risk Assessment Step
Relevant SP 800-115 Techniques & Examples
Output Fed Into Risk Assessment
Identify Vulnerabilities
Testing: Network vulnerability scan, credentialed patch audit, DAST/SAST of an application. Examination: Review of cloud storage bucket permissions (e.g., S3 bucket misconfiguration).
A list of technical vulnerabilities, each with a severity rating (e.g., CVSS score), specific to identified assets.
Analyze Controls
Testing: Penetration test attempting to bypass WAF, phishing simulation to test user awareness. Examination: Audit of log management configuration to ensure it meets NIST AU family requirements. Interviewing: Discussing the change management process with the IT lead.
Evidence of control effectiveness or failure. Determines if a vulnerability is theoretical or exploitable in the current environment.
Determine Likelihood
Testing: Ease of exploitation demonstrated in a pen test report. Examination: Finding that vulnerability scanning is only performed quarterly vs. continuously. Interviewing: Learning that admin credentials are shared for convenience.
Data points to judge if a threat-source is capable and has opportunity, increasing or decreasing the probability rating.
Determine Impact
Testing: A pen test showing successful lateral movement from a test server to a domain controller. Examination: Data flow diagram review revealing that a vulnerable API has direct access to the primary database.
Concrete evidence of blast radius and attack paths, informing the potential magnitude of business impact.
From Test Findings to Risk Register Entries
A critical vulnerability discovered by a scanner (e.g., a critical remote code execution flaw on an internet-facing server) is not yet a managed risk. The SP 800-115 assessment provides the technical details. The SP 800-30 risk assessment process contextualizes it:
Asset: The internet-facing web server and the data it processes.
Threat: Cybercriminal actor leveraging automated exploits.
Vulnerability: The specific unpatched CVE, confirmed via testing.
Likelihood: Rated High due to widespread exploitation, asset exposure, and maybe low patch frequency (found via examination/interview).
Impact: Rated Critical due to potential for full system compromise and access to sensitive backend data (as mapped via architecture examination).
Risk Rating: Critical (High Likelihood x Critical Impact).
Treatment: Mitigate by applying patch immediately (Procedure P-XXX). This action becomes a line item in the Risk Register, with the test report as the source evidence.
Information security testing is a core component of risk assessment. NIST SP 800-115 provides the practical, technical methods to execute key parts of the risk assessment process (specifically, identifying vulnerabilities and analyzing control effectiveness). NIST SP 800-115 feeds the risk assessment with empirical data. NIST SP 800-115 techniques (vulnerability scanning, penetration testing) generate the objective, technical evidence needed to accurately assess likelihood (e.g., how exploitable is this flaw?) and impact (e.g., how far can an attacker pivot from this entry point?).
NIST SP 800-115 provides the toolkit that enables the "Identify Vulnerabilities" and "Analyze Controls" steps of the NIST SP 800-30 risk assessment to be performed with objectivity and rigor. For the technical practitioner, this is the daily work that fuels the risk management engine. For the security manager, it is the essential practice that ensures risk decisions are based on factual evidence, thereby validating the effectiveness of the entire GRC program and enabling true risk-informed decision-making. Testing is the primary tool for the Compliance (C) function to validate the controls implemented as Risk (R) treatments.
The risk assessment process: A step-by-step model
Following a structured process ensures consistency, repeatability, and comprehensiveness. The following model aligns with NIST SP 800-30 and ISO/IEC 27005.
Step 1: Prepare for Assessment (Scoping & Planning)
Define the assessment's scope, objectives, and constraints.
Identify the systems, business processes, and organizational units in scope.
Assemble the risk assessment team with relevant technical and business expertise.
Select the assessment methodology (qualitative/quantitative) and tools.
Step 2: Identify Assets & System Characterization
Create an inventory of in-scope assets, prioritizing them based on their criticality to business mission and sensitivity.
Document the system architecture, data flows, and interconnections to understand the context of each asset.
Step 3: Identify Threats & Vulnerabilities
Identify potential threat sources and events relevant to the scoped environment (e.g., ransomware attack by cybercriminals, data breach by a malicious insider).
Identify vulnerabilities through technical scanning (vulnerability assessment), configuration reviews, penetration testing, and policy/process analysis.
Step 4: Analyze Controls
Evaluate the effectiveness of existing or planned security controls in mitigating the likelihood or impact of identified threat-vulnerability pairs.
Step 5: Determine Likelihood & Impact
For each relevant threat-vulnerability pair, estimate the likelihood of occurrence and the severity of the resulting impact. Use predefined criteria scales to ensure objectivity.
Step 6: Calculate & Prioritize Risk
Combine likelihood and impact ratings to derive an initial risk level (e.g., using a 5x5 Risk Matrix).
Prioritize risks from highest to lowest level to focus management attention and resources.
Step 7: Recommend & Document Treatment
For each prioritized risk, recommend one of the four treatment options (Mitigate, Accept, Avoid, Transfer).
Document all findings, assumptions, and recommendations in the Risk Register.
Methodologies: Qualitative vs quantitative approaches
Aspect
Qualitative Risk Assessment
Quantitative Risk Assessment
Description
Uses subjective scales (e.g., Low, Medium, High) based on expert judgment and consensus.
Uses numerical values and calculations to express risk in financial terms (e.g., Single Loss Expectancy, Annualized Loss Expectancy).
Process
Often employs workshops, interviews, and brainstorming to rate likelihood and impact.
Relies on gathering data such as Asset Value (AV), Exposure Factor (EF), Annual Rate of Occurrence (ARO).
Output
A prioritized list of risks (e.g., Risk Heat Map).
Financial metrics like ALE = SLE x ARO, where SLE = AV x EF.
Pros
Faster, easier to perform, effective for communicating risk to a broad audience.
Provides objective, cost-benefit analysis for decision-making; useful for justifying budgets.
Cons
Subjective, can be imprecise, difficult to track small changes over time.
Data-intensive, complex, can give a false sense of precision; often requires significant estimates.
Best For
Most common operational approach; ideal for initial assessments, prioritizing risks, and organizations with limited data.
Specific use cases like business continuity planning, cyber insurance valuation, or when precise cost justification is required.
In practice, many organizations use a semi-quantitative approach, applying numerical scales to qualitative categories to facilitate easier ranking and aggregation.
Analyzing and evaluating risk: Matrices and scoring
The Risk Matrix (or Heat Map) is the primary tool for evaluating and communicating prioritized risks. It is a grid that plots likelihood on one axis and impact on the other.
Example 5x5 Risk Matrix:
Impact → Likelihood ↓
Insignificant
Minor
Moderate
Major
Catastrophic
Rare
Low
Low
Low
Medium
Medium
Unlikely
Low
Low
Medium
Medium
High
Possible
Low
Medium
Medium
High
Critical
Likely
Medium
Medium
High
Critical
Critical
Almost Certain
Medium
High
Critical
Critical
Critical
Risks in the Critical (red) and High (orange) zones typically require immediate treatment plans and management attention. This visualization directly supports governance Oversight (GV.OV) by providing a clear snapshot of risk posture.
Risk treatment: Determining the path forward
Once risks are evaluated, the organization must decide how to address them. The four canonical treatment options are:
Mitigate: Implement security controls to reduce the likelihood or impact of the risk to an acceptable level. This is the most common action. Example: To mitigate the risk of a phishing attack leading to credential theft, implement a mandatory multi-factor authentication (MFA) control (from NIST SP 800-53 Control IA-2).
Accept: Formally acknowledge the risk and consciously decide to take no further action because it falls within the organization's risk appetite, or the cost of mitigation outweighs the potential impact. Example: Accepting the minimal risk of using a legacy application in an isolated, air-gapped network.
Avoid: Eliminate the risk entirely by discontinuing the risky activity or removing the asset. Example: Deciding not to collect a specific type of customer data to avoid associated privacy and storage risks.
Transfer: Shift the financial burden of the risk to a third party, typically through cybersecurity insurance or outsourcing via contracts with service providers. Note: The responsibility for managing the risk often remains with the organization.
The risk register: Documenting and managing risks
The Risk Register is the central repository for all information related to identified risks. It is a living document that tracks risks through their lifecycle. A typical entry includes:
Risk ID & Description
Affected Assets
Threat/Vulnerability Pair
Inherent Likelihood & Impact (before controls)
Inherent Risk Rating
Existing Controls
Residual Likelihood & Impact (after controls)
Residual Risk Rating
Risk Owner (assigned per governance GV.RR)
Recommended Treatment
Treatment Action Plan & Due Date
Status
The Risk Register is the key artifact connecting assessment to treatment and monitoring, enabling continuous risk management.
Integrating risk assessment with frameworks and the GRC lifecycle
The risk assessment process is not standalone; it is embedded within larger frameworks and the operational GRC cycle.
Mapping to NIST RMF (SP 800-37): The risk assessment activities are primarily conducted within the CATEGORIZE (understanding system impact) and SELECT (informing control choice based on risk) steps. The MONITOR step includes ongoing risk assessments.
Mapping to NIST CSF: The risk assessment fulfills the core of the IDENTIFY (ID) Function, specifically the ID.RA (Risk Assessment) Category.
Mapping to ISO/IEC 27001: Risk assessment is the requirement of Clause 6.1.2 (Information Security Risk Assessment) and is the driver for establishing the Statement of Applicability (control selection).
Integration with the GRC Lifecycle:
Plan (Governance): The risk assessment methodology and risk appetite are defined.
Assess (This Section): The risk assessment is executed, populating the risk register.
Implement (Risk Management/Compliance): Risk treatment plans (mitigation controls) are implemented.
Monitor (Compliance): Controls are tested, and the risk environment is re-assessed to identify changes in residual risk.
Review (Governance): The risk register and assessment outcomes are reviewed by leadership to evaluate the effectiveness of the risk management strategy and inform future planning.
Key takeaways
The information security risk assessment is a systematic process to identify, analyze, and evaluate risks to information assets, forming the evidence-based core of risk management.
Risk is a function of threats exploiting vulnerabilities, assessed based on likelihood and impact on the CIA triad and business operations.
A standardized process involves preparation, asset/threat/vulnerability identification, control analysis, likelihood/impact determination, risk calculation, and treatment recommendation.
Qualitative methods use subjective scales for speed and communication, while quantitative methods use financial calculations for precise cost-benefit analysis.
Risks are evaluated using a risk matrix and treated via mitigate, accept, avoid, or transfer strategies.
The Risk Register is the vital artifact for documenting, tracking, and managing risks throughout their lifecycle.
The risk assessment process is integral to major frameworks (NIST RMF, CSF, ISO 27001) and directly enables the "Assess" phase of the continuous GRC lifecycle.
References
NIST SP 800-30 Rev. 1. Guide for Conducting Risk Assessments.
ISO/IEC 27005:2022. Information security, cybersecurity and privacy protection — Guidance on managing information security risks.
ISACA. The Risk IT Framework.
Last updated