Problem solve Get help with specific problems with your technologies, process and projects.

What steps are involved in assessing risk?

In this identity management and access control Ask the Expert Q&A, SearchSecurity's resident expert reviews the processes involved when conducting a risk assessment.

What steps are involved in assessing risk?

Risk assessment is a complex topic beyond the scope of these few paragraphs, but it is at the heart of information...


In order to secure a system, you must determine the level of risk to it. The higher the level of risk, the more protection it needs. You don't want to spend your information security budget on protecting a low-risk system, you want to spend it on high-risk systems, those that might house sensitive customer data, or handle financial transactions, for example. While this may sound like common sense, few organizations adequately assess IT risk and end up indiscriminately squandering their budgets and resources poorly protecting their most sensitive IT assets and over protecting those of low value.

Roughly, risk assessment consists of reviewing three pieces of your IT infrastructure: threats, vulnerabilities and risk. For example, the threat could be a hacker gaining access to a database housing your customer information. The vulnerability is that the database is outdated and doesn't have the latest security patches installed. Therefore, the risk might be high because the system is unpatched, sits on an unprotected network without a firewall and is connected directly to the Internet.

This scenario is highly improbable in a company that has an experienced information security staff, but it still proves a point. Since we know the risk is high and very likely to occur, we know we need mitigating controls. We've assessed the risk and know where and how to secure our vulnerable IT asset. In this case, the risk assessment tells us to first patch the server, block the firewall ports accessing the server and sever its connection to the Internet.

Keep in mind, it's not just about IT risks and securing servers and Web sites. Compromised IT systems can result in loss of data, outages and malicious use, all of which can damage a business's reputation or worse.

For more information on risk assessments, visit the National Institute of Standards and Technology Web site at http://csrc.nist.gov. Their Computer Security Resource Center contains risk assessment methodologies widely used and recommended by information security professionals.


  • Learn how to conduct a risk analysis.
  • Review risk management process.
  • This was last published in July 2006

    Dig Deeper on Risk assessments, metrics and frameworks

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.