Risk Assessment

Risk assessment is a standard security practice. The goal is to assess the risk of threats before attacks arrive. Knowing what threats are likely and the damage they may cause facilitates decision making, sets priorities, and allows for the creation of mitigation plans.

Risk Assessment Models

There are many models used by companies and consultants for risk assessment. Even though they vary, they all follow similar guidelines and understanding a few of the most popular models will provide the conceptual foundation to use others.

Risk assessment has four fundamental steps:

  1. Identify potential threats
  2. Identify potential vulnerabilities
  3. Assess the impact (harm, loss) of an exploited vulnerability
  4. Assess the likelihood that the vulnerability will be exploited

Potential threats are both people and events which could cause harm or loss. They fall into one of four categories: malicious attacks (online or physical), human errors, failures of resources which are under the organization's control (environment, network, hardware, software), and uncontrollable disasters whether they be natural or man-made.

The Microsoft Threat Model further classifies these threats by the type of exploit or the motivation. It has six threat categories which use the acronym "STRIDE".

  • S: Spoofing identity
  • T: Tampering with data
  • R: Repudiation
  • I: Information disclosure
  • D: Denial of service
  • E: Elevation of privilege

Most of those are probably self-explanatory. "Repudiation" is the idea that a user could dispute transactions if there is not enough auditing or record-keeping to validate that it happened.

The Financial Risk Assessment expresses risk as a cost in dollars.

Risk = Financial Impact ($) x Likelihood (%)

Distilling risk down to a simple dollar amount facilitates comparisons against other risks which allows decision makers to set priorities. It also allows for a comparison against the costs of prevention. For example, a million dollar fix to a thousand dollar risk would not be a smart investment. The disadvantage of this assessment is that financial impact and likelihood are often not easy-to-determine single values and include many other variables.

The OWASP Risk Assessment rates threats, vulnerabilities, impact, and likelihood on a scale from 0-9. The results are averaged and applied to a grid to identify risks which are both high-impact and highly-likely.

The Microsoft Risk Assessment quantifies the risk of each threat by using five categories of impact and likelihood and then rating each category from 0 to 10. The five categories correspond to the acronym "DREAD".

  • D: Damage Potential (impact)
  • R: Reproducibility (likelihood)
  • E: Exploitability (likelihood)
  • A: Affected users (impact)
  • D: Discoverability (likelihood)
Fork me on GitHub