How to Perform a Cybersecurity Risk Assessment
A great cybersecurity program starts with a risk assessment process. A proper cybersecurity risk assessment clarifies the cyber risks to the business so that cyber initiatives and a road map can be put to together to address the risks.
What is a cybersecurity risk Assessment?
Cybersecurity assessment is a structured evaluation process that examines an organization’s IT environment, policies, procedures, and controls to determine how well it can protect against cyber threats and vulnerabilities. It aims to identify weakness, measure risk exposure as well as give recommendations to make the organization more secure.
The following are some of the technical and non-technical aspects of cybersecurity reviewed in this assessment;
- Network and system vulnerabilities
- Employee awareness and training
- Security policies and governance
- Third-party and supply chain risks
- Incident response readiness
- Compliance with regulations (GDPR, HIPAA, NIST) compliance
Through cybersecurity assessment, firms are able to see a clear picture of their current protection level, identify the loopholes and prioritize on the activities aimed at reducing the risks before they are capitalized.
Challenges:
When the risk assessment gets skips or short circuited, the program falls into becoming reactive and will focus time and money on efforts that do not provide the greatest reduction of risk for the investment. This may be referred to as Return on Risk Investment (RoRI). Here are a few challenges:
- In 2024, there was a 10% increase in cost of data breach, this amounting to $4.88 million
- Additionally, many cybersecurity roles have not been trained on how to conduct a proper cybersecurity risk assessment.
- Another challenge is long and tedious academic methods, that require too much time and investment from too many roles.
The sad truth is that most never get completed. Most of this cybersecurity risk assessments are designed for enterprises size companies and lack the applicability for a small and mid-sized business.
This article will attempt to break down the process and provide guidance on the system we use to accurately and confidently identify the top risks and cybersecurity initiatives to reduce cyber risks.
The process of cybersecurity assessment at Asher Security
In cybersecurity we use a lot of terms. One term at the core of cybersecurity is ‘risk’. There are several ways to qualify risk. It can either be a quantitative methodology, or a qualitative methodology?
Here is an equation to calculate cybersecurity risk;
Data (asset value) x Threat x Vulnerability = Risk
‘This definition has worked very well for me and my clients. It attempts to keep it simple and provide clarity over each step of this risk equation. It is understandable, approachable, and repeatable.’
-Tony Asher (Elite Cybersecurity consultant at Asher Security)
Let’s break down each of the three components that we need to qualify to define risk.
Data (asset value):
This can be measured by the sensitivity of the data, and the volume of the data. This is about qualifying what data crown jewels a business has. For example, if a company only has data they consider ‘public’, then you’re risk equation will almost always equal zero, or no risks. That is because no matter how many threats are trying to steal your data, and no matter how many vulnerabilities you have open and available for exploitation, the worst case is that the attacker gets a bunch of public data. Risk accepted.
Qualifying data and assets values is most commonly done by performing a data classification exercise in which business stakeholders are interviewed with the goal of learning and defining what data is public, vs sensitive or restricted. These can be any data classification labels you choose. The result is a Data Classification Policy that will list all the data types or elements that need to be considered restricted. Once complete this can act as a source to qualify how much of that data exists, and where.
Vulnerabilities:
This data is pretty easily collected when a vulnerability scanning tool is in place, or can be put in place temporarily. There are two main types of scanning: credentials and non-credentialed. However, the most important things to note is that a credentialed scan will provide much greater visibility into the true vulnerability status. The other important principle is to scan everything listed in your IP inventory, not just your Microsoft Windows machines. We need to scan anything a threat can have access to.
Qualifying vulnerabilities is pretty quick and easy. All you need is a scanner like Qualys, or Tenable, or Rapid 7. The challenge is more often not feeling overwhelmed by the results and trying to fix everything right away. The first goal should be to prepare a simple report (the recommended is an Excel pivot chart) that shows how many critical, high, and medium vulnerabilities were identified across the environment. (You can skip the low and informational for now).
Threats:
Now you have two of the three data values to calculate in your risk equation. The last one is identifying threats. There have been several methodologies to review threats and all have been overly complicated to the point of preventing a successful threat exercise from completing due to the overwhelming nature. Below is a summary of the process we highly recommend.
How to perform a cybersecurity risk assessment
There are several steps we follow when performing a cybersecurity risk assessment. This steps are essential for security teams to systematically identify, evaluate and mitigate risks:
Scope
The first recommendation is scoping the threats. It is highly recommended that you scope the cybersecurity threats to focus on confidentiality.
‘I understand that availability is important, but when we include this is a risk exercise, we open the scope of qualified threats to volcanoes, tornados, and air plane crashes – it becomes ridiculous.’
Instead recommend the business leaders prepared a business continuity plan that should address the availability risks. For this exercise only focus on threats via a digital vector.
List
Use a list of the top ten to twenty-five threats. You need to start somewhere and an approach like this is a quick catalyst to get a first draft completed successfully. The completion of a threat exercise based on the top ten threats, is better than a non-completed threat exercise that never got completed.
‘I have a list I created and maintain by continually updating it based on threat intelligence.’
Impact & Likelihood
Plot the threats on a page that helps visually indicate the impact and likelihood. Lay it out in four quadrants with impact on the vertical and likelihood on the horizontal. This will help reveal the threats that re most concerning.
Bringing it all together
The final step in a cybersecurity risk assessment is part science and part art. The goal is to overlay the threats with the vulnerability data and qualify if the there is a vulnerability in the systems that an applicable, qualified threat can take advantage of.
With the list of applicable threats and vulnerabilities that qualify for review, overlay them with the systems that contain restricted data (Crown Jewels) and qualify if a threat actor exploited a vulnerability would it lead to gaining access to restricted data.
One thing to consider is that people can be a vulnerability. For example, when looking one of the top cybersecurity threats of Business Email Compromise (BEC), you might review vulnerability data for your email platform and find you don’t have any vulnerabilities. Before feeling too confident to remove this from your risk equation, consider that this is often a social type of attack and the vulnerability is the person receiving fraudulent emails.
Review
Review your findings with leadership. There are two goals in doing this. First is to show leadership you have a best practice process for qualify risk. It is repeatable and you performed the process to do it right. Most leaders will have no idea on how to complete a cybersecurity risk assessment, so when talking to you their goal will not be to correct your data and findings, but instead to understand how you conducted it and if that process makes sense. Your goal is show them that you have a process, and it makes sense.
The second goal for the leadership review is to share the risk. The primary goal of the cybersecurity role is to identify risks and provide visibility of those risks to the business leadership. When leadership is able to review the risks and approve of risk treatment measures, can the cybersecurity role proceed with helping reduce the cyber risk to the business.
Risk Assessment Frameworks
For structure, many organizations turn to cybersecurity frameworks. These provide consistent language, steps, and tools to support assessments. Common options include:
- NIST Cybersecurity Framework (CSF): Offers a flexible, industry-neutral way to assess and improve security posture.
- ISO/IEC 27005: A more detailed risk management standard within the ISO 27000 family.
- CIS Controls Risk Assessment Method (CIS RAM): Prioritizes implementation of the most effective controls based on risk.
- CISA’s Cyber Resilience Review (CRR): A self-assessment tool from the U.S. government for critical infrastructure organizations.
Frameworks aren’t one-size-fits-all but offer guidance in building repeatable and audit-ready processes.
How Often Should Cybersecurity Risk Assessments Be Done?
While annual assessments are common, frequency should be tied to organizational dynamics. Any of the following should trigger a new or updated assessment:
- Mergers or acquisitions
- Major changes to infrastructure (e.g., moving to the cloud)
- Introduction of new technologies or services
- Regulatory changes
- A significant cybersecurity incident
Cyber risk is not static—it evolves with your business, the threat landscape, and external factors.
Need cybersecurity risk assessment help?
We ofer more than that!
If you have any questions about how to improve your risk assessment process, or tips or tricks we can use to improve my process please follow up. We are happy to help you improve your process (free of charge).
If you’d like a professional cybersecurity risk assessment conducted for you, we also offer a Rapid Risk Assessment. Our Rapid Risk Plan identifies your crown jewels, assesses your vulnerabilities, and reviews the threats against your organization to clarifies your cybersecurity risks. We then build an annual road map and prioritized objective list to help give you the traction on the people, processes, and technology you need to achieve your cybersecurity goals. Contact me and mention this article.
Ready to get started?
Schedule a call or/and join our newsletter
Recent Comments