Identify potential threats before they become an issue.

Risk assessments are designed to provide a clear indication of those organizational information assets that are at risk for a security breach. This allows for the informed, intelligent application of cybersecurity resources that are appropriate to secure those assets. The National Institute of Standards and Technology (NIST) framework — which was created through collaboration between industry and government — consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The NIST cybersecurity framework states that the goal of a risk assessment is for an organization to understand the cybersecurity risk to organizational assets, individuals and organizational operations, including mission, functions, image, or reputation.

A risk assessment will identify information assets that could be affected by a cyber-attack, such as hardware, systems, laptops, customer data and intellectual property, and then report the various risks that could affect those assets. Third parties, suppliers, contractors and a mobile connected workforce also fall within the scope of a risk assessment.

The Six Steps to Conduct a Risk Assessment

The National Institute of Standards and Technology (NIST) created the NIST Cybersecurity Framework Risk Assessment category that outlines the following steps:

1. Asset vulnerabilities are identified and documented.
2. Threat and vulnerability information is received from informed sources.
3. Threats, both internal and external, are identified and documented.
4. Potential business impacts and likelihoods are identified.
5. Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.
6. Risk responses are identified and prioritized.