Why Risk Assessment is Necessary

What is the Purpose of a Risk Assessment?

The purpose of a risk assessment is to uncover any vulnerabilities or weaknesses in an IT system or network that can be exploited by a threat. Risk assessment can be performed on any component of a system or network. The risk assessment should be based upon the CIA Triad and address the Confidentiality, Integrity, and Availability requirements of the greater system including networks, computers, software, and data. 

What Are the Steps of a Risk Assessment?

The steps in a risk assessment must be well-structured and purposeful.

1. Characterization of the System
   A risk assessment typically starts with a characterization of the system. This initial step looks at the overall IT system and its components, the data, the data flows, and most importantly, the criticalness of each of these areas. It must be noted that not all components and all data are created equal. Some elements are much more critical than others, and a loss of such a critical system, piece of software, or data could severely affect the organization and its ability to function.
2. Identification of Threats
   The second step in the risk assessment process is the identification of threats. This step is concerned with gaining an understanding of the groups that have a capability and an intention to harm an organization via the cyberspace domain. This hacker group may want to steal information, covertly change information, or take a system down (distributed-denial-of-service attack or a ransomware attack). A new job that addresses this part of the risk assessment process is the threat hunter. The modern-day threat hunter proactively searches for advanced cyber threats in an attempt to neutralize such threats. They are a critical player in threat identification. In addition to the threat hunter, many organizations have created cyber intelligence units. These units are constantly searching for threat actors and work to understand their capabilities and tools. 
3. Vulnerability Assessment
   Another key step in the risk assessment process is vulnerability assessment. The goal of this step is to identify weaknesses in the information system, network, and software. Some organizations add in physical security and personnel security assessment to this step.

Once vulnerabilities are identified, tools, techniques, and technologies can be applied to address the vulnerabilities. Taken together each of the above steps constitutes the risk assessment process.

Long-Term IT Risk Management

Not all risks will be addressed. The reason for this could be cost or limited resources or a vulnerability that has been found is not currently exploitable by a threat agent. This is why it’s important to perform risk assessments in a methodical and detailed manner using the CIA Triad (confidentiality, integrity, availability).

The risk assessment process is very technical. Someone who leads a risk assessment group needs to be able to understand the technical details of the assessment but also needs to be able to communicate the results in a jargon-free manner. The ability to speak and write clearly and effectively while communicating deeply technical information is an art.

Finally, risk assessment is not something that is done just once. It is a continuous process. As new technology is integrated into an organization or new software is built, an organization must conduct a risk assessment. This consistency and continued commitment to security risk management helps protect the organization.

Joe Giordano is the Director of the Healthcare Cybersecurity Certification Program in Touro College Illinois.