Risk analysis and risk management

Information is one of the organization's most important assets. These information assets must be protected against threats so that they are not destroyed or fall into the wrong hands.

A threat is a possible incident. The risk of the incident occurring depends on the probability of the threat and the consequence of the threat. The higher the probability that a certain incident will occur and the greater the consequence such an incident would have if it occurs, the higher the risk.

Risks need to be managed to minimize potential harm, but first the risks must be analysed.

Risk analysis

In order for an organization to be able to protect itself against possible future information damage, one must start by conducting a risk analysis.

A risk analysis is a systematic way of identifying threats which are then evaluated based on their probabilities and consequences.

Probability

Assessing probabilities can be difficult due to the constant nature of information security. It is not enough to just start from your own and others' experiences, what has happened before i.e., known probabilities. In order to make a more realistic probability assessment, you must try to interpret developments and trends within society and one's own industry and make as realistic an assessment as possible of future probabilities.

The probability of an event can be graded in:

  • Unlikely

  • Potential

  • Likely

  • Most likely

Consequence

Assessing consequences is also not easy. It can be difficult to assess damages and costs for an incident that has already occurred. It is, of course, even more difficult to assess the consequences of a possible incident that has not yet occurred, which you must try to do in a risk analysis.

The consequence of an event can be graded in:

  • Smaller

  • Moderate

  • Considerable

  • Critical

The risk analysis can be associated with great difficulties, but in the work with the analysis, the organization must, with both its own resources and knowledge and outside help, try to make an analysis of the risks that is as realistic as possible. The purpose of risk analyzes is to provide support for which security measures need to be introduced.

The basis of the entire risk analysis is to identify threat scenarios. After all, it is these that must then be evaluated in terms of probability and consequence.

If one fails to identify an important threat, it will not be a known risk that needs to be addressed with security measures.

Surveillance of threat images must be done continuously.

Risk management

Once the risks have been analysed, they must be managed i.e., you must plan for what measures must be taken to minimize the risks.

Here, it is important to find a good balance and the right level of security work and to be able to justify the necessary measures, investments, and efforts. 

Risk management is a systematic way to protect a business's resources against damage risks so that the business's goals can be achieved with a minimum of disruption.

The balance of an event's probability and consequence yields a value that we call the risk factor.

The risk factor can be the basis for how to manage the risk. 

The risk factor and risk management can be graded as follows:

  • Negligible risk - accept

  • Low risk - monitor

  • Medium risk – plan a risk-reducing action

  • High risk - immediate action

Unacceptable risks must be eliminated or reduced to an acceptable level by means of safety measures. Security protection can be preventive or restorative.

Preventive protection is aimed at reducing the probability of an injury.

Restorative protections are aimed at reducing the consequence/damage.

Do you need help with your cyber security? Learn more about our cyber security reviews!