Threat Risk Assessment: A Quick Primer

‘Tis the season for data breaches!

From an information security perspective, the news has been downright depressing lately. In the wake of recent career-halting data breaches, it couldn’t hurt to start thinking about threat risk assessments for your organization.

While there are numerous types of threat risk assessment methods, they all try to answer the same questions in regards to organizational assets:

  •      What needs to be protected?
  •      Who and/or what are the threats and vulnerabilities?
  •      What are the implications if they were damaged or lost?
  •      What is the value to the organization?
  •      What can be done to minimize exposure to the loss or damage?

The objective of a threat risk assessment is to provide recommendations that can maximize the organizational protection of confidentiality, integrity, and availability while still allowing functionality and usability.

The primary phases of a threat risk assessment are:

  • Scope: This phase identifies what needs to be protected, the sensitivity of what is being protected, and what systems and applications are included in the assessment.
  • Data Collection and Analysis: This step involves collecting and analyzing all policies and procedures that are in place to determine any applicable gaps in documentation. Systems and applications identified in the scope are audited to determine their current state. Key personnel are normally interviewed during this stage as well.
  • Vulnerability Analysis: This step takes what was identified in the data collection/analysis and determines the current exposure, and whether current safe guards are sufficient in terms of confidentiality, integrity, or availability. It will also indicate whether the proposed safe guards will be sufficient. The vulnerabilities are graded according to the level of risk that they pose to the organization.
  • Threat Analysis: Threats are described as anything that would contribute to the tampering, destruction, or interruption of any service or item of value. This analysis will look at every element of risk that could conceivably happen. Threats must be looked at as they relate to the business environment and how they can affect that environment. These threats are graded in a similar manner as vulnerabilities.
  • Determination of Acceptable Risk: This step involves the analysis of the findings to help determine, with the help of key stakeholders, what level of risk is acceptable to the organization.

A threat risk assessment should be a continual process that is reviewed regularly to determine if current safe guards are still effective.

If you don’t perform some form of a threat/risk analysis, you leave your organization open to a world of hurt that could destroy your ability to conduct business.

For further information, please see Dell’s whitepaper on the current and future state of IT security.

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.