What steps are involved in assessing risk?

Ask the Expert

What steps are involved in assessing risk?

What steps are involved in assessing risk?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

Risk assessment is a complex topic beyond the scope of these few paragraphs, but it is at the heart of information security.

In order to secure a system, you must determine the level of risk to it. The higher the level of risk, the more protection it needs. You don't want to spend your information security budget on protecting a low-risk system, you want to spend it on high-risk systems, those that might house sensitive customer data, or handle financial transactions, for example. While this may sound like common sense, few organizations adequately assess IT risk and end up indiscriminately squandering their budgets and resources poorly protecting their most sensitive IT assets and over protecting those of low value.

Roughly, risk assessment consists of reviewing three pieces of your IT infrastructure: threats, vulnerabilities and risk. For example, the threat could be a hacker gaining access to a database housing your customer information. The vulnerability is that the database is outdated and doesn't have the latest security patches installed. Therefore, the risk might be high because the system is unpatched, sits on an unprotected network without a firewall and is connected directly to the Internet.

This scenario is highly improbable in a company that has an experienced information security staff, but it still proves a point. Since we know the risk is high and very likely to occur, we know we need mitigating controls. We've assessed the risk and know where and how to secure our vulnerable IT asset. In this case, the risk assessment tells us to first patch the server, block the firewall ports accessing the server and sever its connection to the Internet.

Keep in mind, it's not just about IT risks and securing servers and Web sites. Compromised IT systems can result in loss of data, outages and malicious use, all of which can damage a business's reputation or worse.

For more information on risk assessments, visit the National Institute of Standards and Technology Web site at http://csrc.nist.gov. Their Computer Security Resource Center contains risk assessment methodologies widely used and recommended by information security professionals.


  • Learn how to conduct a risk analysis.
  • Review risk management process.
  • This was first published in July 2006