Risk Assessment for Information Security Methodology

Written by
COSO ERM vs ISO 31000

Risk Assessment for Information Security Methodology


If your Information Security team is looking to get a better handle on your company’s risk in 2017, then read this primer, which details the different terms and approaches to building strong compliance risk assessments and programs.

The Whats

ISO 27005: Generalized risk process

As an industry standard, ISO 27005 provides a framework and an approach instead of a risk management methodology. This means that it gives guidelines for what the risk assessment needs to include, but it provides no specific steps to take. Despite not being an approach to determine risk tolerance, ISO 27005 remains important when engaging in the risk assessment process because it outlines all areas and risks to be reviewed. Ultimately, this means that all methodologies rely on the international standard to the extent that they are derived from it.

Quantitative Risk Analysis

A quantitative risk analysis uses mathematical probabilities and actuarial information to determine a numerical value of risk. Luke Jasper summarizes this approach saying that at its most basic level, the quantitative approach is “Risk = Probability x Loss.” Unfortunately, building models based on hypotheticals leads to a large degree of uncertainty. The calculations are often based on historical corporate documentation. If retention is spotty, then the risk profile may be inaccurate.

Qualitative Risk Analysis

As its name implies, the qualitative risk analysis is more subjective. Lacking in numerical values and relying on adjectives, it leads to a deeper understanding of the business profile. In the study, “Risk Assessment Model for Organizational Information Security” published in the ARPM Journal of Engineering and Applied Science, the authors note that understandable, shared terminology throughout the organization allows for different areas of the company to access the risk management process. This cross-departmental communication creates the strong foundation for an ongoing integrated compliance program based on solid decision making.


The Hows

OCTAVE Allegro Risk Method from CERT

OCTAVE stands for “Operationally Critical Threat, Asset, and Vulnerability Evaluation.” The OCTAVE method is a well-respected methodology created by the Software Engineering Institute of Carnegie Mellon University to review information systems. OCTAVE Allegro is a qualitative methodology that can be conducted in small groups without disrupting daily business. As CERT notes, the methodology has eight steps organized into the following four phases:

1. Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors.
2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
3. Identify threats to each information asset in the context of its containers.
4. Identify and analyze risks to information assets and begin to develop mitigation approaches.

Microsoft Security Assessment Tool

Although not a methodology, the Microsoft Security Assessment and Planning Toolkit offers “Solution Accelerators” which are scenario based guides and automations that intend to help IT professionals running on Microsoft products. These can help target an organization’s needs in the areas of security and compliance, management and infrastructure, and communications and collaboration.

NIST SP 800-30

The National Institute of Standards and Technology published this fifty-six-page document that defines nine distinct steps in the risk assessment process and includes discussions of risk mitigation and evaluation/assessment. The nine steps provided are system characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control recommendations, and results documentation. Unlike several of the other documents regarding risk assessments, the NIST SP 800-30 provides both specific steps to the risk process and guidance as to how to find the information necessary to document the requirements.

Information Risk Assessment Methodology 2 and Risk Analysis Workbench Tool

Referred to as IRAM2, this Information Security Forum provides a step-by-step guide for security risk assessment models. The six tenets of the IRAM2 are applying a simple yet obtaining greater coverage of risk, focusing on the most significant risks, and engaging with key stakeholders. IRAM2 provides both an inward and outward focus on not only the internal vulnerabilities but also the impact they have on external stakeholders.

These are just a few concepts that help information security risk teams protect information assets. If you have other recommendations or ideas, then please submit your thoughts in the comments below.