2013-11-16

Skillsoft Course Player

Types of risk assessment methodologies

Abstract

This article introduces you to four commonly used risk assessment methodologies in information risk management. It describes the features of these methodologies and the techniques for implementing them. It also highlights the benefits of each methodology and specifies the type of organization each methodology is geared toward. You can model the risk assessment plan for your company on the methodology that best matches your requirements. Alternatively, you can customize or combine the techniques these methodologies prescribe to develop a practicable risk assessment plan.

Introduction
Risk assessment is an important phase in the risk management process. This phase includes three key activities: risk identification, risk analysis, and risk evaluation. There are various risk assessment methodologies that an organization can use to assess risks to its operations and assets. Using risk assessment methodologies, you can identify a risk and determine its severity, probability, and impact. Accordingly, you can decide whether to ignore a risk or spend additional effort to mitigate it. Using these methodologies, you can also determine ways to reduce the impact of unavoidable risks to tolerable limits.

Types of risk assessment methodologies

Of the various methodologies available for assessing risks, the four most commonly used methodologies are Risk Factor Analysis, sometimes known as RFA National Institute of Standards and Technology or NIST risk assessment methodology Factor Analysis of Information Risk, also known as FAIR, and Probabilistic Risk Assessment, PRA for short As an information security manager, you should be aware of the features, benefits, techniques, and applicability of each of these methodologies. Using this information, you can identify one or more methodologies that are aligned to your risk management approach. You can then customize the related techniques, as required, and use these techniques to create a risk assessment plan for your organization.

RFA
RFA is a risk assessment methodology that was developed at Los Alamos National Laboratory, also known as LANL, based in the United States. This methodology helps you to identify the fundamental reasons that eventually hamper a project. These reasons are mostly related to time, budget, scope, and resource constraints in a project. The prime consideration in the RFA process is the possible impact that risks will have on operations and assets and not on the possibility of occurrence. Using RFA provides several benefits. It allows you to assess risk in a broad range of projects measure the risk and assign values based on its severity prioritize the risks based on risk-factor ranking find the appropriate risk-mitigation method for reducing the risks due to a particular risk factor document results for risk-reduction methods that are specific to a particular risk factor, and gather input data for quantitative risk assessment Techniques
xlibrary.skillport.com/courseware/Content/sp_cisn_a04_it_enusb.htm?AICC_URL=http%3A%2F%2Fpvsp72gbe.skillport.com%2Fskillportbe%2Fspacm%2 1/3

2013-11-16

Skillsoft Course Player

The RFA technique involves these steps: 1. identifying all project-related tasks and components 2. identifying relevant technical risks associated with the project 3. developing a ranking scale for each risk factor 4. ranking every risk in each of the project activity to understand the impact of the risk 5. adding up the results of risk-ranking across activities in each project 6. recording these results and identifying possible steps to reduce the risk, and 7. presenting the identified risk-reducing steps to the project team for assessment You need to consider four types of risks when identifying the risk factors: Lack of funds Availability of sufficient funds at the right time is necessary to complete a project. Delays in receiving funds can adversely affect the schedule of project activities. It may eventually result in time and resource constraints. Consider that you're implementing an incident management application to manage IT security incidents in your company. You may need to conduct employee awareness training on using the application. In this situation, there is a risk of senior management not approving sufficient funds for conducting training if you're unable to justify the training benefits. Escalation of cost This risk includes the cost overruns in designing and operating the project. Cost overruns occur when the project planning is inaccurate or when its implementation is not done properly. While calculating the project cost, you need to consider various possibilities, such as the inadequate resources, technical failure, unexpected delays, and natural threats. For example, unplanned failure of many computers in your organization can result in interruptions in the business. So you may need to incur additional costs to ensure normal operation. Delays in the project schedule This risk is associated with planning of project activities. The acceptable level of delays in the activities must be considered while determining the project schedule. A schedule risk may arise because of delay in approval of activities, lack of resources, or technical failures. Faults in technology Technical risks may occur because of faulty design, obsolete technology, or changing regulatory requirements. These issues can affect the performance of resources during the operation. For example, inappropriate software and network connections can pose technical risk for the project.

NIST risk assessment methodology

NIST risk assessment methodology is a technique used to assess risks in the system development life cycle or SDLC. The SDLC consists of five steps: initiation, development, execution, maintenance, and termination. The systems involved in the SDLC are common across the steps. So, the same risk assessment technique is used for all the steps in the SDLC. Techniques NIST risk assessment methodology uses a nine-step process to identify and evaluate risks to an organization: 1. identifying system characteristics 2. identifying threats 3. identifying vulnerabilities 4. analyzing control measures 5. determining the probability of a threat occurring 6. analyzing the impact of the threat on the business 7. establishing the risk 8. recommending risk control measures, and 9. documenting the risk assessment reports The first step helps you define the scope of the risk assessment activity. In this step, you outline the responsibilities of different people involved in the risk assessment process. You gather information related to the organization's networks, available information assets, the procedures performed by the systems, and the criticality of the systems.
xlibrary.skillport.com/courseware/Content/sp_cisn_a04_it_enusb.htm?AICC_URL=http%3A%2F%2Fpvsp72gbe.skillport.com%2Fskillportbe%2Fspacm%2 2/3

2013-11-16

Skillsoft Course Player

After identifying the system characteristics, you determine the possible threats and vulnerabilities, and analyze their impact on the system. Next, you evaluate the control measures. The controls are evaluated to test how well they protect the information assets against risks that arise when organizational vulnerabilities combine with threats. It helps find the gaps between the existing and desired levels of security of the information assets. For example, IT hardware and software should have technical controls, including password security, encryption of data, and hacker detection software. After evaluating the control measures, you establish the possibility of a threat getting converted into a risk, and its impact on the organization's operations. Then, you establish the risk and define the control measures to be used to handle those risks. Finally, these findings, that is, the risks and the defined controls, are documented for future use.

FAIR
FAIR is a risk assessment methodology that enables you to understand a risk by breaking it down into several components and analyzing each component in detail. This method involves detailed analysis of the risk and its control measure. The key use of FAIR is to create a framework to identify and assess methods to secure information assets that are prone to a risk. It helps you customize your procedures according to the severity of risks faced. It also helps the senior management make decisions based on the financial implications of the risks, and define control measures to be used. Techniques FAIR provides a mathematical model that helps in quantifying the impact that a combination of factors will have on the organization. It also provides a simulation model to extrapolate the impact of these risk components to bigger and complicated risk situations.

PRA
PRA is a method used for risk assessment in industries, such as oil exploration, nuclear power plants, and aeronautics that use complex technological operations. These industries typically involve complex engineering operations and require huge investments. Techniques There are various tools available for performing the PRA, such as event-tree analysis, fault-tree analysis, human-reliability analysis or HRA, and common cause failure analysis or CCF. HRA is used to assess human errors, whereas CCF is used to assess the systems which might cause failure. Once the PRA is complete, the information security manager decides on the risk mitigation strategy to be used to manage the risk impact on the business operations.

Summary
Risk assessment is the first step in the risk management process. There are four commonly used risk assessment methodologies RFA, NIST, FAIR, and PRA. These methods help you calculate the risk and devise the control measure, based on the severity and the type of the risk your organization encounters. With the knowledge of the various risk assessment methodologies, an information security manager should be able to build a security management program specific to business needs.

2012 SkillSoft Ireland Limited

xlibrary.skillport.com/courseware/Content/sp_cisn_a04_it_enusb.htm?AICC_URL=http%3A%2F%2Fpvsp72gbe.skillport.com%2Fskillportbe%2Fspacm%2

3/3