Measuring Risk: A Security Pros Guide

A look at the tools for evaluating security risks -- and some tips for putting the resulting data into business context

[Excerpted from Measuring Risk: A Security Pros Guide, a new report published this week on Dark Readings
Risk Management Tech Center
.]
Every organization has valuable information assets -- whether it’s intellectual property; commercially valuable information and IT systems; or data on employees, customers and suppliers. An IT system failure, therefore, will adversely impact the organization to some degree.
IT professionals are charged with the often-daunting task of providing an assessment of the risk -- and potential damage -- associated with specific threats to company information systems. Complicating the task is the need to explain to senior management how a risk, and the likelihood that it will cause harm to the organization, was calculated.
With IT-related risks, you can’t construct tools that satisfy measurement theory. Even ISO Standard 27005 information security risk management, which is designed to help the implementation of information security based on a risk management approach -- doesn’t specify, recommend or even name any specific risk analysis methods.
Indeed, measuring the level of risk an organization faces is a big undertaking, so it makes sense to split risk assessments into defined areas of the business. These could include a physical location, such as a call center, or a business process, such as order fulfillment.
Documenting all the threats and quantifying the associated risks -- even for a small office or basic process -- usually takes a few weeks and can last up to several months for more complex regulated entities. Even if your company contracts with an outside consultant, internal staff will need to be involved. It’s therefore essential that everyone understands the terminology and concepts behind a risk assessment.
Any reports to senior management should begin by explaining these key concepts. The terms may seem basic, but it is important that everyone involved is using the same vocabulary and applying the terms in the same context.
A
threat
is something that can potentially cause damage to the organization.
A
vulnerability
is a weakness within the organization that can be exploited by a threat.
Risk
is the possibility that a threat exploits a vulnerability and causes damage to the organization.
The estimated damage to the organization is its
impact
.
It should be made clear at this point that every organization has to live with threats; you cannot eliminate the threat of either lightning strikes or malicious cyber or even physical attacks. The first task, then, is to identify all the threats to your assets in the scope of the risk assessment.
To learn more about how to conduct a risk assessment -- and the tools that can be used to measure and report risk --
download the free guide to measuring IT security risk
.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Measuring Risk: A Security Pros Guide