The security risk assessment process is one of the most important steps of an organization’s overall information security risk management activities.
Once the information security risks are identified from different risk sources, the likelihood of the occurrence of information security is assessed. Assessing the likelihood is subjective because relevant data or information is unavailable to the organization that accurately predicts the likelihood of a particular information security risk.
Information Security Risk Assessment Process
To assess the likelihood of information security risks, the organization may consider various factors such as past incidents, the prevalence of information security risk in the industry, internal control environment, available resources to address data fraud, data fraud prevention efforts by management, ethical standards followed, unexplained losses, customer complaints, etc.
Once the likelihood of information security risks is assessed, the frequency of occurrence of the information security incidents is assessed. The frequency is assessed based on the availability of past or historical information about the information security incidents.
The frequencies of occurrence of data or information frauds or incidents may be defined as follows:
- Very frequent means the information security risk is expected to occur daily or multiple times daily. Such risks may not impact high, but due to a large number of occurrences, the impact may be high over a particular period. An example may include a large amount of critical customer data accessed by unauthorized employees multiple times a week.
- Frequent means the information security risk is expected to occur frequently, which may be once a day, every two days, or weekly. Such information security risks may also not impact high, but due to a large number of occurrences, the cumulative impact may be high over a particular period. An example may include a small amount of critical customer data accessed by an unauthorized employee multiple times a month.
- Reasonably frequent means the information security risk is expected to occur every week or month. Such fraud risks may have a high impact due to fewer fraud incidents over a particular period. An example may include a small amount of critical customer data accessed by an unauthorized employee more than once in a six-month period.
- Occasional means the information security risk incidents do not occur frequently, but the fraudster conducts fraud on certain occasions. Such types of fraud may have high impacts because they may be backed by proper planning by the fraudsters to gain as many personal benefits as possible. An example may include a small amount of critical customer data accessed only once in multiple years.
- Rare means the information security incident occurs once over the years but impacts high both in terms of reputational and financial losses to the organization. Such types of information security incidents usually involve a large number of fraudsters, which may be dispersed in different jurisdictions and locations. Examples may include cyber-attacks on large national organizations to gain and use confidential information.
Similarly, for information security risk occurrence, the definitions are made by the organization, such as the following:
- Almost certain means the chances of risk occurrence are very high, which may be more than 90 percent chance.
- Likely means the chances of occurrence of risk range between 65 to 90 percent.
- Reasonably possible means the chances of occurrence of risk range between 35 to 65 percent.
- Unlikely means the chances of occurrence of risk range between 10 to 35 percent.
- Remote means the chances of occurrence of risk are less than 10 percent.
Based on general assessment and utilization of available information, the information security risk assessor develops or designs the preventive and detective controls in various processes and activities of the organization. The preventive and detective controls are mostly implemented in high-risk processes, where the chances of occurrence of information security incidents are high. Such processes include servers, networks, systems, applications, online service delivery channels, etc.