We often get calls to do diagnostic testing of some sort – Vulnerability Testing, Penetration Testing, Web Application Testing;  these are all very good and should be done at least annually or more often, if the environment is undergoing changes – What about a Cyber Security Risk Assessment?  Why do them, and what’s the correlation between the Risk Assessment and the various forms of diagnostic testing?

A Risk Assessment helps you to identify the risks associated with IT assets.  It helps you to quantify the risk if a particular asset gets breached, goes down, etc.

For example, organizations commonly identify key impact areas as cost, profit goals, uptime goals, growth goals, or compliance with security standards.  Impact ratings could be described in terms of cost, as below:

Impact Value

Impact Label

Impact Description

1

Insignificant$0 – $10,000

2

Significant$10,000 – $100,000

3

Non-Material$100,000 – $250,000

4

Material$250,000 – $1,000,000

5

Critical$1,000,000 and over

Diagnostic testing, a testing of the controls in place, results in findings that are fed into a cyber security risk assessment by pairing the vulnerabilities found, with the information assets. Control gaps will be identified and noted.  Recommended controls will be identified and documented that, if implemented, would reduce the risk or impact to the organization.

The control recommendations are the results of the risk assessment and provide input to the risk treatment process during which the recommended procedural and technical security controls are evaluated, prioritized, and agreed to by stakeholders and executive management.

A nice feature coming out of all of this, is the communication between IT and executive management is supported.  When IT is requesting funding to put a control in place, everyone is on the same page as to how that control may help mitigate risk to the organization as a whole.

Nancy Sykora
Sr. Account Executive

Reasonable Security
Reasonable Security Podcast

ESTIMATING RISK BY INDUSTRY

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.