bptu - Fotolia

Get started Bring yourself up to speed with our introductory content.

What are the best risk assessment frameworks?

A recent survey indicated an increased use of risk assessment frameworks among enterprises. Here's why it's important to choose the right framework for your organization.

A new survey from Southern Methodist University's Darwin Deason Institute for Cyber Security showed that enterprise...

executives are shifting away from compliance as a security investment driver and adopting more proactive security and risk management approaches. Specifically, the survey identified the increased use of security and risk assessment frameworks as a major contributor to this trend. How important are risk assessment frameworks for enterprise security programs, and are there specific ones you'd recommend?

Southern Methodist University's Darwin Deason Institute for Cyber Security published a survey in October 2015 that reported the majority of the 40 executives polled are adopting a more risk-based approach for information security. This is good news, especially since information security frameworks and professional certifications have always taught that risk should drive protection measures.

There are several risk assessment frameworks that are worth mentioning. The NIST SP 800-30 is a frontrunner. Other prominent frameworks include OCTAVE, FAIR and TARA. Industry accepted risk assessment frameworks have the benefit of being vetted by pundits that understand comprehensive methodologies. It's a good idea for enterprises to use them since developing their own would introduce the likelihood of missing segments that might skew the understanding of risk. They are also more readily accepted by assessment and audit groups that review the risk assessments for compliance.

Risk can be accepted, mitigated or transferred. One can do nothing (accept), reduce the risk (mitigate) or buy insurance (transfer). Risk assessment frameworks provide the methodology to do all three. They can be quantitative or qualitative. Quantitative risk frameworks use calculated algorithms to discretely and objectively identify value of assets, threats, vulnerabilities, likelihood and confidence levels. Qualitative risk frameworks identify the same aspects, but are more subjective and provide a general indication of significant areas of risk that should be addressed.

Vetting the risk assessment results also benefits the security team when it presents its findings to executive management. These include:

  • Better understanding of IT and security risks related to the business model;
  • Justification in the budgeting process for additional resources, services and tools;
  • Assurance that the information security program is focused on proper protection of the right assets; and
  • Confidence that the CISO is managing the information security program well.

Many times compliance overrides risk. If a control or process is required by regulation, it needs to be deployed. However, the risk assessment frameworks, which should include compliance risk, will describe to what level the controls need to be implemented. Without a proper view of risk, the information security program might omit proper levels of controls or it might also over-control and eventually incur the enterprise unnecessary costs.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn the best risk analysis method for enterprises

Find out what CISOs need to include in security reports

Discover some way to make security assessment reports more engaging

Create a simple risk assessment analysis in these five steps

This was last published in April 2016

Dig Deeper on Risk assessments, metrics and frameworks