Skip to main content


{Article} How to Build a Better IT Risk Assessment

{Article} How to Build a Better IT Risk Assessment

Download Article

When an organization is tasked with creating an IT Risk Assessment, it can often be seen as a daunting and pointless task. Many organizations create a spreadsheet, list a few of their IT Systems, flag them as “high risk,” then list a couple of basic security controls, and flag them as “low residual risk.” This assessment is turned into the Board annually and then considered checked off the list. Unfortunately, organizations working from this perspective are missing the point of an IT Risk Assessment.


Make Better Decisions

A comprehensive, measurable, and repeatable IT Risk Assessment should be used to help an organization make better decisions. Without a detailed framework, any money spent on information security is akin to throwing darts at a board. Without a goal in mind, how do we know when we’ve reached it? An organization must truly understand where the most risk is located in order to take the appropriate mitigating steps.


A Better Risk Assessment Process

To form a useful IT Risk Assessment, we need to start by identifying our IT assets or systems, as this is where we apply controls. The key concept when identifying your assets is to include “anything that stores, processes, or transmits confidential information” in your IT Risk Assessment. Some wide-ranging examples of IT assets would be: core banking systems, domain controllers, file servers, firewalls, and even file cabinets. The list for many organizations will be long, but larger organizations typically have more IT assets.


Valuate Your IT Assets

Next, we need to find a way to compare these different types of assets. One might wonder how you could compare your core banking system to your file cabinets? One very efficient method of comparing different asset types is by creating a Protection Profile. The Protection Profile for each asset is calculated on four ratings, the Confidentiality, Integrity, Availability, and Volume, otherwise referred to as “CIAV.” Each of these four ratings should be assigned a numeric value representative of its importance; you might use, for example, a three-tier system: High (3), Medium (2), or Low (1).


Confidentiality may be defined as the degree to which unauthorized access or use of information affects the institution. Confidentiality ratings should be given a quantifiable score consistently across different assets. For Confidentiality, a High (3) rating may be defined as “Information that is highly sensitive; its disclosure would violate regulations and/or result in significant harm to the institution.” A Medium (2) rating may be defined as “Information that is considered internal; its disclosure may violate regulations and/or result in moderate harm to the institution.” Finally, a Low (1) rating may be defined as “Information that is for public consumption; its compromise would not be harmful to the institution.” Rate the Confidentiality of information stored, transmitted, and processed through the IT asset you are assessing on your numeric-value scale, and do the same for the following categories as well.

Integrity is the degree to which unauthorized or accidental modifications to or incorrect entry of information affects the institution. A High (3) rating may be defined as “Accuracy of the information is critical; its modification or incorrectness would cause significant issues.” A Medium (2) rating may be defined as “Accuracy of the information is important, but not absolutely critical; its modification or incorrectness may cause moderate issues.” A Low (1) rating may be defined as “Accuracy of the information is of low concern; its modification or incorrectness may be inconvenient but could likely go unnoticed and cause few issues to the institution.”

Availability is the degree or time of which information can be unavailable, and systems, applications, and business functions can be down without severely impacting the institution. A High (3) rating may be defined as “Information availability is of significant concern; recovery must be made within 24 to 48 hours.” A Medium (2) rating may be defined as “Information availability is of moderate concern; recovery must be made within 1 week.” A Low (1) rating may be defined as “Information is readily available elsewhere; recovery within 30 days is satisfactory.”

You have likely heard of Confidentiality, Integrity, and Availability, but Volume is an additional way to delineate how much your IT assets are used at your institution. Volume may be defined as the amount of information stored, processed, and transacted by an asset. Here a High (3) rating may be defined as “There is a large amount of data regularly stored, processed, or transmitted.” A Medium (2) rating may be defined as “A moderate amount of information is stored, processed, or transmitted.” A Low (1) rating may be defined as “Only a small amount of information is regularly stored, processed, or transmitted.”

Once we have given a score for each of the CIAV fields, we are able to calculate our Protection Profile by adding up these four assigned values. All four values being High would give us a 12, all four being Low would give us a 4. This methodology allows us to essentially turn an apples-and-oranges comparison (Core Banking System vs. file cabinets) into an apples-to-apples comparison. It also allows us to identify and prioritize our most important and valuable assets.


Determine the Threats

The next step in our IT Risk Assessment process is to identify all reasonably foreseeable threats. Any given asset has numerous threats, any of which would cause harm to the institution if the threat were realized. Every effort should be made to identify all applicable threats. We should also determine the Probability that a given threat were to occur, as well as the Impact to the institution if the threat was to occur. Each threat should include a quantifiable rating for both Impact and Probability (typically a 1-5 or 1-3 rating). Impact and Probability can be multiplied together to form a Threat Score. Say your threat has a Probability of 3 and an Impact of 5; your Threat Score would be 15. Then, you add up all individual Threat Scores to provide you with a Total Threat Score.


Quantify the Risk

Once we have identified our Protection Profile and Total Threat Score, we can create an Inherent Risk Score. As a reminder, the Inherent Risk Score is how risky a given asset is purely because it exists. If we take a system out of the box, plug it in, and turn it on without any mitigating controls (not even considering where we place the system, as this is a risk-mitigating control), we have Inherent Risk. Inherent Risk is also known as the risk before controls.

To create an Inherent Risk Score, we multiply our asset’s Protection Profile times our Total Threat Score.

Next, we want to reduce the Inherent Risk of each asset in order to calculate our Residual Risk (the risk after controls). To do this, we must identify the controls we have put in place to reduce risk. The real key to calculating Residual Risk is not only to identify the controls we have in place, but to also identify the controls we have not put in place. We call this “included” controls vs. “excluded” controls. If we identify all the controls we aren’t currently using, but could, we can paint a more detailed picture of the Residual Risk Score, which is the risk after mitigating controls are put in place. There are numerous resources to help you identify excluded controls, including the FFIEC Cybersecurity Assessment Tool, FFIEC Booklets, NIST 800-53, NIST Cybersecurity Framework, and the CIS Top 20.


Once you have calculated the Residual Risk by subtracting your mitigating (included) controls from the Inherent Risk rating, you are then able to compare IT assets across the board consistently to help you identify your most important and risky assets.


Set Your Goals

At this point, we have completed most of the steps in building a comprehensive, valuable, and repeatable IT Risk Assessment. The last critical step, and the step that will help you make better decisions, is to set risk mitigation goals. When evaluating your Information Security Program, you want to mitigate the most risk to your most important and riskiest assets. Therefore, the assets with the highest Protection Profile or highest Inherent Risk Score should have the loftiest reduction goals. It is also very important to remember we are setting goals. If we can’t meet these goals, there are two solutions. The first option is to evaluate your list of excluded controls to determine how you can meet the goal in the future (and document a plan to get there). The second option is to adjust the goal to be more achievable. Finally, if we have achieved your risk mitigation goal, we should raise the goal, then create a plan to meet the new goal in the future! Goals that become stagnant are not driving our Information Security Program forward.


Make Better Decisions

By identifying your most important assets (Protection Profile), the threats that may cause harm to your institution (Threats), your Inherent Risk (Protection Profile X Total Threat Score), and your Residual Risk (risk after controls), you have built a framework that can help you consistently and quantifiably measure risk across your IT assets. Once you have a consistent and measurable risk assessment, you can make better decisions by setting goals, then working towards meeting those goals. An IT Risk Assessment that helps you to set goals and mature your risk posture going forward goes well beyond checking the box; it’s a risk assessment that really helps to improve your organization.

Additionally, this risk assessment framework can be used for different assessments by simply replacing the thing you’re identifying in the Protection Profile. If you swap “IT asset” for “vendor,” this assessment becomes a Vendor Risk Assessment. If you replace “IT asset” with “business process,” you have a framework for performing a Business Impact Analysis. The framework is very versatile, and if you perform it consistently, you’ll always be able to make better decisions.


Written by: Jeff Dice

Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • For a better IT Risk Assessment, look no further than the TRAC risk management solution. TRAC’s IT Risk Assessment module allows you to perform a quantifiable and measurable asset-based risk assessment much more efficiently than using a spreadsheet. TRAC is powered by predefined, industry-specific data that helps you know your risk assessment is correct and allows you to make better security decisions.
  • {Blog} Risk Assessment: Qualitative vs Quantitative: Qualitative or Quantitative? The risk assessment methodology you use should depend on what you are trying to measure and what outcomes you’d like to see from that measurement. Read More
  • {Cyber Byte Video} IT Risk Assessment: This video will cover what the goal of an IT Risk Assessment should be, how it is used to build a strong foundation for your ISP, and steps you can take to go beyond checking boxes off a list. Watch video.

Related Certifications

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Security Manager Professional   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, December 20, 2017
Categories: Blog