Risk Assessment

• What is the Risk Assessment module?
• What is the difference between Asset Types and Threat Events?
• What do the different risk levels mean?
• How does the Risk Assessment module calculate my risk level?

Risk Assessment Articles:

What is the Risk Assessment module?

The Risk Assessment module allows you to conduct a cyber risk assessment for your organization, as required by the NIST 800-171 standard.  The module incorporates Totem's "Assumed Risk" assessment methodology, in which the organization risk assessor

1. selects an Impact value for a each of a list of standard threat events that may befall a given asset class, and then
2. identifies risk mitigators the organization already has in place across the four control types -- Avertive, Preventive, Detective, Corrective -- that may reduce the likelihood of the threat event succeeding.

What is the difference between Asset Types and Threat Events?

• Asset types are "classes" of assets your business may employ as part of its IT system handling sensitive or protected information. Assets are the things of value your organization operates, and therefore the things that my impact the organization negatively should they be compromised by a cyber attack. 
• Threat events are the result of a threat actor attempting to exploit an asset vulnerability during a cyber attack.  Any cyber attack would result in one of the following types of threat events:
  
  • Social Engineering  
  • Unauthorized access to data or system  
  • Unauthorized use of data or system  
  • Unauthorized disclosure of data  
  • Disruption of data or system availability  
  • Unauthorized modification of data or system  
  • Unauthorized destruction/loss of data or system

The Totem™ Risk Assessment module contains several "canned" asset types and threat events, but you can add or subtract those types as you see fit.

What do the different risk levels mean?

• High risk: potential for catastrophic or irrecoverable damage to the organization.  High risk MUST be addressed by employing additional risk mitigators, in the form or security controls.
• Moderate risk: potential for significant or costly -- but recoverable -- damage to the organization. Moderate risk SHOULD be addressed by employing additional risk mitigators, in the form or security controls.
• Low risk: potential for minimal damage to the organization. Low risk MAY be addressed by employing additional risk mitigators, in the form or security controls.

How does the Risk Assessment module calculate my risk level?

Risk for each Asset Type <--> Threat Event element is calculated according to the following formula:

Impact is selected by the user, as Low, Moderate, or High in the Risk Assessment workflow.

Likelihood is calculated by the Totem™ tool, factoring in how many risk mitigators (controls) the user inputs for each of the four control types for a given Asset Type <--> Threat Event element.  By default, an organization must have all four control types in place to have Low likelihood, and three control types in place for Moderate likelihood.  Otherwise (with none, 1, or 2 controls in place), the likelihood is marked as High.