NIST defines risk analysis as “the process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact” and considers the term synonymous with risk assessment.48 Risk analysis is what we do to determine the risks we need to control. For example, we may look at the expected returns that can be realized by investing in the stock market and our relative knowledge and experience in making such investments. We may want to recognize our limitations as well as the quality of the sources of information we use to make investment decisions, as either could result in poor decision-making. And of course, it might also be a good idea to consider how investing could adversely impact the family budget.
With an asset-based approach to information protection, an organization must first determine its information protection needs and then inventory and categorize the information assets that require protection, as shown in the figure below. While these first steps are certainly no easy feat, the next three steps—threat, vulnerability, and impact analysis—are arguably as difficult if not more difficult for many organizations due to a lack of skilled resources or, as in the case of many smaller organizations, the budget needed to outsource the analysis to a third-party consultant or professional services firm.
Figure 3. Typical 7-Step Risk Analysis Process
Consider threat identification, for example. There is no generally accepted list of common threats to sensitive and/or critical information, and resources that provide more general threat information are often inconsistent with one another (e.g., the Bundesamt fur Sicherheit in der Informationstechnik (BSI) Elementary Threats of the IT-Grundschutz-Compendium49,50 and the European Union Agency for Network and Information Security (ENISA) Threat Taxonomy51) or are incomplete when compared with other threat lists (e.g., NIST SP 800-3052).53 The final few steps involve calculating the risk, ranking the risks in order of severity, and developing an overall strategy to address the risks, which generally involves avoidance, acceptance, transfer, and mitigation.
Some organizations, e.g., the U.S. Department of Health and Human Services (HHS), can take a slightly different approach by incorporating a controls gap analysis in one of the elements required of a risk analysis.54 This approach presumes organizations already have at least some security controls in place before conducting their first analysis, but additional controls or the remediation of existing controls may still be needed to adequately address all potential risks to an entity’s electronic Protected Health Information.
This approach to risk analysis is also similar to the implementation approach outlined in the NIST Framework for Improving Critical Infrastructure Cybersecurity,55 more commonly known as the NIST Cybersecurity Framework.
But whether control specification occurs at the end of the risk analysis or just after the risk analysis in the model presented here, control specification follows information classification, asset categorization, threat analysis, vulnerability analysis, and the calculation, ranking, and treatment of risk, as shown in Figure 8.
Figure 4. Custom Control Specification Based on the Risk Analysis Process
48 NIST (2022b).
49 Bundesamt fur Sicherheit in der Informationstechnik, BSI (2013). IT-Grundschutz-Compendium, Edition 2021. Bonn, GE: Author.
50 English versions are published only as drafts and may contain errors or differences to the German versions. Note an English version of the latest release for 2022 was unavailable at the time this handbook was written.
51 European Union Agency for Network and Information Security, ENISA (2016). ENISA Threat Taxonomy. Heraklion, GR: Author.
52 JTF TI (2012, Sep).
53 Reference the HITRUST threat/risk catalog here.
54 Department of Health and Human Services, HHS (2010). Guidance on Risk Analysis under the HIPAA Security Rule.
55 NIST (2018, 16 Apr). Framework for Improving Critical Infrastructure Cybersecurity (v1.1). Gaithersburg, MD: Author.