In the current information security field, it seems that risk management has become synonymous with information security. Security seems to be inseparable from risk management. Before building a comprehensive security system, risk assessment is required. Risk assessment may appear in almost all security documents, security standards, and security specifications. It seems that few people in the world are questioning whether a risk assessment is required.
But here I still want to ask, "What is the purpose of risk assessment ?" "Why should we conduct risk assessment ?" If you do not answer this question clearly, the real thing may be reversed.
In many speeches, I often stated that risk assessment has two purposes: reporting and decision-making support.
Evaluation for report purposes
The purpose is to evaluate a result and generate a report. However, this result should be able to express qualitative conclusions such as good/bad, serious/not serious, or quantified conclusions on the degree of risk. The biggest purpose of this conclusion is to make a comparison ". This comparison includes:
Comparison of different time points, for example, comparison between different organizations in the past and now, comparison of risks between different organizations at a time point, can determine who is more dangerous, who can better protect the organization and compare it with a benchmark, that is, a little like a compliance comparison
Reports often give readers a comprehensive understanding of the situation, and the so-called comprehensive-comparison is very appropriate.
Compliance evaluation
Compliance comparison is a special case of evaluation for the purpose of reporting. In order to better compare compliance, the concept of "classified" is often introduced. In our country, classified protection and classified protection are similar ideas.
For example, the classification in classified protection is an evaluation of the amount of assets and narrow threats. It is also a special risk assessment.
Evaluation for the purpose of Action Decision-Making
For the purpose of action decision-making, the most typical form is: identify the risks of the institution, and rate these risks by evaluation, filter out the first 10 risks that need to be solved by sorting, then, the system immediately handles and controls these risks.
For this purpose, there is no big difference between the two risks 1005vs. 1000, and the two risks are identified as large differences between them.
For this purpose, it is not necessary to evaluate and calculate all elements of the theoretical risk model, as long as the evaluation method can help us roughly differentiate the risks. Therefore, in many risk evaluations I operate on, I do not analyze the threat in a narrow sense, but instead use the event analysis. For example, the classification of classified protection only evaluates the value of assets and the threat in a narrow sense, do not consider other factors. In this way, these results can provide sufficient support for action decision-making.
In addition to the purpose described above, does risk assessment have any other purpose?