6 Types of Risk Assessment Methodologies + How to Choose
by Rick Stevenson
An organization’s sensitive information is under constant threat. Identifying those security risks is critical to protecting that information. But some risks are bigger than others. Some mitigation options are more expensive than others. How do you make the right decision? Adopting a formal risk assessment process gives you the information you need to set priorities.
There are many ways to perform a risk assessment, each with its own benefits and drawbacks. We will help you find which of these six risk assessment methodologies works best for your organization.
What is Risk Assessment?
Risk assessment is the way organizations decide what to do in the face of today’s complex security landscape. Threats and vulnerabilities are everywhere. They could come from an external actor or a careless user. They may even be built into the network infrastructure.
Decision makers need to understand the urgency of the organization’s risks as well as how much mitigation efforts will cost. Risk assessments help set these priorities. They evaluate the potential impact and probability of each risk. Decision makers can then evaluate which mitigation efforts to prioritize within the context of the organization’s strategy, budget, and timelines.
Risk Assessment Methodologies
Organizations can take several approaches to assess risks—quantitative, qualitative, semi-quantitative, asset-based, vulnerability-based, or threat-based. Each methodology can evaluate an organization’s risk posture, but they all require tradeoffs.
Quantitative methods bring analytical rigor to the process. Assets and risks receive dollar values. The resulting risk assessment can then be presented in financial terms that executives and board members easily understand. Cost-benefit analyses let decision makers prioritize mitigation options.
However, a quantitative methodology may not be appropriate. Some assets or risks are not easily quantifiable. Forcing them into this numerical approach requires judgment calls—undermining the assessment’s objectivity.
Quantitative methods can also be quite complex. Communicating the results beyond the boardroom can be difficult. In addition, some organizations do not have the internal expertise that quantitative risk assessments require. Organizations often take on the added cost to bring in consultants’ technical and financial skills.
Where quantitative methods take a scientific approach to risk assessment, qualitative methods take a more journalistic approach. Assessors meet with people throughout the organization. Employees share how, or whether, they would get their jobs done should a system go offline. Assessors use this input to categorize risks on rough scales such as High, Medium, or Low.
A qualitative risk assessment provides a general picture of how risks affect an organization’s operations.
People across the organization are more likely to understand qualitative risk assessments. On the other hand, these approaches are inherently subjective. The assessment team must develop easily-explained scenarios, develop questions and interview methodologies that avoid bias, and then interpret the results.
Without a solid financial foundation for cost-benefit analysis, mitigation options can be difficult to prioritize.
Some organizations will combine the previous methodologies to create semi-quantitative risk assessments. Using this approach, organizations will use a numerical scale, such as 1-10 or 1-100, to assign a numerical risk value. Risk items that score in the lower third are grouped as low risk, the middle third as medium risk, and the higher third as high risk.
Blending quantitative and qualitative methodologies avoids the intense probability and asset-value calculations of the former while producing more analytical assessments than the latter. Semi-quantitative methodologies can be more objective and provide a sound basis for prioritizing risk items.
Traditionally, organizations take an asset-based approach to assessing IT risk. Assets are composed of the hardware, software, and networks that handle an organization’s information—plus the information itself. An asset-based assessment generally follows a four-step process:
Inventory all assets.
Evaluate the effectiveness of existing controls.
Identify the threats and vulnerabilities of each asset.
Assess each risk’s potential impact.
Asset-based approaches are popular because they align with an IT department’s structure, operations, and culture. A firewall’s risks and controls are easy to understand.
However, asset-based approaches cannot produce complete risk assessments. Some risks are not part of the information infrastructure. Policies, processes, and other “soft” factors can expose the organization to as much danger as an unpatched firewall.
Vulnerability-based methodologies expand the scope of risk assessments beyond an organization’s assets. This process starts with an examination of the known weaknesses and deficiencies within organizational systems or the environments those systems operate within.
From there, assessors identify the possible threats that could exploit these vulnerabilities, along with the exploits’ potential consequences.
Tying vulnerability-based risk assessments with an organization’s vulnerability management process demonstrates effective risk management and vulnerability management processes.
Although this approach captures more of the risks than a purely asset-based assessment, it is based on known vulnerabilities and may not capture the full range of threats an organization faces.
Threat-based methods can supply a more complete assessment of an organization’s overall risk posture. This approach evaluates the conditions that create risk. An asset audit will be part of the assessment since assets and their controls contribute to these conditions.
Threat-based approaches look beyond the physical infrastructure.
By evaluating the techniques threat actors use, for example, assessments may re-prioritize mitigation options. Cybersecurity training mitigates social engineering attacks. An asset-based assessment may prioritize systemic controls over employee training. A threat-based assessment, on the other hand, may find that increasing the frequency of cybersecurity training reduces risk at a lower cost.
Choosing the Right Methodology
None of these methodologies are perfect. Each has strengths and weaknesses. Fortunately, none of them are mutually exclusive. Whether intentionally or by circumstance, organizations often perform risk assessments that combine these approaches.
When designing your risk assessment process, the methodologies you use will depend on what you need to achieve and the nature of your organization.
If board-level and executive approvals are the most important criteria, then your approach will lean towards quantitative methods. More qualitative approaches might be better if you need support from employees and other stakeholders. Asset-based assessments align naturally with your IT organization while threat-based assessments address today’s complex cybersecurity landscape.
Constantly assessing your organization’s risk exposure is the only way to protect sensitive information from today’s cyber threats. Drata’s compliance automation platform monitors your security controls to ensure your audit readiness.
Schedule a demo today to see what Drata can do for you!