Assessing risks is vitally important in order to understand where you should focus your attention when considering applying controls. During a risk assessment process, there are four stages that require careful attention:
- Communicate results
- Maintain assessment (continually review)
Cyber Security Frameworks
To assist with the risk management process there are various internationally recognised frameworks that can be referenced for assistance:
Results from risk assessments should be presented as either quantitative or qualitative information.
Quantative Risk Assessment
Quantitative risk is represented by a numerical value. For example, when considering the risk of a power surge destroying a server, the total should factor in the cost of replacing the server, working hours to replace it, reputational damage for the loss of service etc. Say £10,000.
To calculate the annual loss expectancy you need to identify the frequency of the risk occurring (say four months) and calculate an annual percentage, then times this by the cost. In our example this would be:
1 / 4 x 100 = 25%
25% x £10000 = £2500 annual loss expectancy.
Qualitative Risk Assessment
Qualitative risk is represented by a description or category. This could for example be a grading one to 10 or low / medium / high or critical / essential / important etc. To conduct a qualitative risk assessment you need to grade both the likelihood and impact of the risk. The resulting risk is a factor of both, but not necessarily an equation.
This risk assessment process enables businesses to properly consider the full breadth and depth of the risk. Through the application of controls (or none at all), risk can either be avoided, accepted, transferred or mitigated.
Talk with an Expert
Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your business.