Assess the level of risk to the system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of:
- The likelihood of a given threat-source’s attempting to exercise a given vulnerability
- The magnitude of the impact should a threat-source successfully exercise the vulnerability
- The adequacy of planned or existing security controls for reducing or eliminating risk.
To measure risk, a risk scale and a risk-level matrix must be developed.
Once the risk assessment has been completed (threat-sources and vulnerabilities identified, risks assessed, and recommended controls provided), the results should be documented in an official report or briefing. A risk assessment report is a management report that helps senior management, the mission owners, make decisions on policy, procedural, budget, and system operational and management changes. Unlike an audit or investigation report, which looks for wrong doing, a risk assessment report should not be presented in an accusatory manner but as a systematic and analytical approach to assessing risk so that senior management will understand the risks and allocate resources to reduce and correct potential losses.
Risk Mitigation Options:
Implement risk mitigation methodology to reduce mission risk. Risk mitigation can be achieved through any of the following risk mitigation options:
To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level
To avoid the risk by eliminating the risk cause and/or consequence (e.g., forgo certain functions of the system or shut down the system when risks are identified)
To limit the risk by implementing controls that minimize the adverse impact of a threat’s exercising vulnerability (e.g., use of supporting, preventive, detective controls)
To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls
To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability
To transfer the risk by using other options to compensate for the loss, such as purchasing insurance.