Risk Assessment in Information Security [source: infosecurity-magazine]

Risk assessment is a systematic method of analyzing risk. It started in the nuclear and aeronautical industries, and has now spread to many other industries including the finance, transportation, power system, public health, shipping and fishing industries.

Risk assessment tries to answer three questions:

  1. What can go wrong?
  2. How likely is it?
  3. How serious are the consequences?

Risk assessment has different roles in different industries. For instance, system adequacy and system security are two basic tasks in power system risk assessment, but enterprise risk assessment tries to identify and evaluate events that could affect the achievement of business objectives.

According to ISO27005, information security risk assessment (ISRA) is “the overall process of risk identification, risk analysis and risk evaluation”. In fact, ISRA provides a complete framework of assessing the risk levels of information security assets.

ISRA is a widely used method in industries which require keeping information secure. In fact, information exists everywhere and has a very close relationship to our lives. Private and public sectors collect personal information. More and more individuals share their daily life on social networks such as Facebook and Instagram.

Maintaining the security of all users’ information becomes a hot issue for network and platform providers. ISRA helps the providers to identify risks associated with information systems and to implement security controls by following information security standards and regulations.

Risk analysis is an important part of ISRA. Its methods can be divided into three categories: quantitative, qualitative and synthetic. A quantitative approach constructs complicated mathematical models to obtain more accurate results, but it is not easy to collect historical data to support the models.

In a qualitative method, it is easy to collect data based on experts’ opinions or questionnaires but this can be too subjective. Synthetic risk analysis methods can overcome the limitations of traditional quantitative and qualitative approaches by applying fuzzy and Analytic Hierarchy Process theory, which provides a decision making model.

For more, click here.