To understand risk assessment, there are a few terms that need explanation in order to get a better understanding.

Threats: These are agents that can ''attack'' the system. These ‘attacks’ may be intentional or accidental. And these threats could be from internal or external agents. Threats are ever present in all systems. Examples would be natural disasters or virus attacks.

Vulnerabilities: These are weaknesses present in the system, which are exploited by the threats. For example, not having an up to date virus detection and prevention system could result in the threat of virus outbreak materializing. Another example would be the absence of fire detection (smoke detectors) and damage control (fire extinguishers) mechanisms, which could be exploited by someone who wants to set the place on fire.

Risk: Risk is the potential loss to the organization if vulnerability is exploited by a threat.

Risk assessment, then, is nothing but identifying the vulnerabilities in the system, enumerating the threats and assessing the potential loss associated with each of these.

How does one go about doing a risk assessment?

The first step to doing a risk assessment is to identify the various tangible and intangible assets in the organization. This would include assets like applications and servers, hardware, database servers, operating systems, network devices, information stored on these assets, network and telecom links, computer peripherals and others.

After identifying the various assets a value has to be assigned to each of these assets. While valuing the asset, one need to take into consideration the various factors such as functions of each of these assets, the various users utilizing its services, the tangible value of the asset, the time it took to build that value into the asset, the time and value it would take to recreate/ replace the asset.

Subsequently all threats which are present in the system need to be identified. This should take into consideration both internal as well as external threats. While doing this, the threat on each of the asset need to identified and noted separately.

The next logical step would be to identify and assess the vulnerabilities existing in the system. There are two kinds of vulnerabilities, which could be present on the system- process related and technology related.

Process related would be, for instance, absence of an incident handling procedure, poor housekeeping leading to fire threats. These could be identified through a process audit.

Whereas technological vulnerabilities would be usage of default username and password and running unnecessary services on a server. Running security scans on the infrastructure could identify these. Various tools are available, both commercial and open source, for security scanning. Some of the better-known ones are from ISS and Nessus. Another technique, which is commonly used to identify vulnerabilities, is penetration testing also known as ethical hacking. A penetration testing exercise would identify the vulnerabilities available for external attackers (Threat) to exploit.

After identifying the threats and vulnerabilities present in the system, one needs to assess the potential damage an exploit of the vulnerability would cause. This exercise should take into consideration existing controls in place. Such controls would reduce the impact such an incident would cause. Examples for existing controls could be presence of back ups, detection mechanisms and backup of information.

However one critical factor one needs to take into consideration at this stage is the likelihood of occurrence. There could be controls in place to prevent vulnerabilities from being exploited. Or it could be that the potential damage has been controlled and the asset is no longer attractive to the threat!

The risk can be obtained by multiplying the potential losses with the likelihood of occurrence.

What are the benefits of doing a risk assessment?

Undergoing a Risk Assessment would help the organizations in

• Identifying the threats present in the system
• Identifying vulnerabilities in the system
• Assessing the potential losses
• Designing controls to reduce potential impact
• Designing controls to reduce the likelihood of occurrence
• Providing justification for the controls to be implemented by ensuring that the cost of implementing the controls is not greater than the potential impact