The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.

The Coalfire Blog

What is Your Risk Assessment Worth?

December 08, 2011, John Rostern, VP, Technology Advisory and Assessment Services

John Rostern

A risk assessment provides your organization with a tool to determine how, where and how much to invest in controls and security over technology.  It also serves to document the risk acceptance policy of your organization as the acceptable level of risk dictates the level of controls to be implemented.  It is also a requisite part of legal and regulatory compliance for Sarbanes-Oxley, HIPAA and PCI, among others.  The risk assessment plays a key role in internal processes such as business continuity planning, internal audit planning and overall enterprise risk management.  This has led, in many cases, to the risk assessment becoming a ‘check the box’ item.  Risk assessment you ask?  Yep, I have one of those.  However, an inadequate risk assessment may be preventing your organization from developing and executing an effective information security and technology risk management strategy.

There are many historical examples of the impact a bad risk assessment can have.  For example, after World War I, the French invested in a line of fortifications on the border with Germany and Italy.  Fearing a repeat of the last war, French Minister of War Andre’ Maginot designed and built a series of fixed artillery emplacements and tank barriers all facing the enemy.  However, history tells us that while Maginot correctly identified the source of the risk, (Germany), he assumed the next war would be fought the same way as the last.  Maginot failed to properly assess the current threats and vulnerabilities he faced, which led to the defeat of France when the German army performed an end-run and attacked France from the north instead of the east (the guns were literally pointed the wrong way!).   His perceived ‘risk’ was improperly supported, which led to a massive investment in a defensive line that was ultimately ineffective.  

Had Maginot studied risk assessment, he would have realized that risk (R) is the product of threat (T) and vulnerability (V), sometimes expressed as T x V = R.  Properly described, Risk is the combination of the impact and likelihood of an event that impacts the mission, functions, image or reputation of an organization.  Overall Risk to the organization/entity is the sum of all of the risks described in their Risk Catalog that represents the portfolio of relevant risks.  Following this process can help your organization to build appropriate controls and avoid an outcome similar to Maginot.  The overall process for a comprehensive risk assessment may be summarized in the following steps.

  1. Develop a Threat Catalog describing the universe of applicable risks;

  2. Determine the Relevance and Impact of each Threat to produce the Threat Value;

  3. Examine the Vulnerabilities and Pre-Disposing Conditions to determine the value for Vulnerability;

  4. Determine the Inherent Risk as the product of Threat and Vulnerability;

  5. Apply the Risk Treatment process applicable to the organization to the Risk Catalog and determine which risks will be Mitigated in the Controls Environment;

  6. Based on independent testing, determine the Design and Operating Effectiveness of the Controls Environment;

  7. Subtract the Controls Value from the Inherent Risk to determine the Residual Risk; and

  8. Compare the Residual Risk, both in aggregate and for each individual risk, to the Risk Tolerance of the organization.

This disciplined approach will provide insight into allocation of resources and the alignment of controls with the risks to the core business of the organization.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS