What is the purpose of cybersecurity risk assessment?

Source: Internet
Author: User

In the current information security field, it seems that risk management has become synonymous with information security. Security seems to be inseparable from risk management. Before building a comprehensive security system, risk assessment is required. Risk assessment may appear in almost all security documents, security standards, and security specifications. It seems that few people in the world are questioning whether a risk assessment is required.

But here I still want to ask, "What is the purpose of risk assessment ?" "Why should we conduct risk assessment ?" If you do not answer this question clearly, the real thing may be reversed.

In many speeches, I often stated that risk assessment has two purposes: reporting and decision-making support.

Evaluation for report purposes

The purpose is to evaluate a result and generate a report. However, this result should be able to express qualitative conclusions such as good/bad, serious/not serious, or quantified conclusions on the degree of risk. The biggest purpose of this conclusion is to make a comparison ". This comparison includes:

Comparison of different time points, for example, comparison between different organizations in the past and now, comparison of risks between different organizations at a time point, can determine who is more dangerous, who can better protect the organization and compare it with a benchmark, that is, a little like a compliance comparison

Reports often give readers a comprehensive understanding of the situation, and the so-called comprehensive-comparison is very appropriate.

  Compliance evaluation

Compliance comparison is a special case of evaluation for the purpose of reporting. In order to better compare compliance, the concept of "classified" is often introduced. In our country, classified protection and classified protection are similar ideas.

For example, the classification in classified protection is an evaluation of the amount of assets and narrow threats. It is also a special risk assessment.

  Evaluation for the purpose of Action Decision-Making

For the purpose of action decision-making, the most typical form is: identify the risks of the institution, and rate these risks by evaluation, filter out the first 10 risks that need to be solved by sorting, then, the system immediately handles and controls these risks.

For this purpose, there is no big difference between the two risks 1005vs. 1000, and the two risks are identified as large differences between them.

For this purpose, it is not necessary to evaluate and calculate all elements of the theoretical risk model, as long as the evaluation method can help us roughly differentiate the risks. Therefore, in many risk evaluations I operate on, I do not analyze the threat in a narrow sense, but instead use the event analysis. For example, the classification of classified protection only evaluates the value of assets and the threat in a narrow sense, do not consider other factors. In this way, these results can provide sufficient support for action decision-making.

In addition to the purpose described above, does risk assessment have any other purpose?

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.