IT risk management

IT risk assessment methodology

Guide

IT risk assessment is a process of analysing potential threats and vulnerabilities to your IT systems to establish what loss you might expect to incur if certain events happen. Its objective is to help you achieve optimal security at a reasonable cost.

There are two prevailing methodologies for assessing the different types of IT risk: quantitative and qualitative risk analysis.

Quantitative IT risk assessment

Quantitative assessment measures risk using monetary amounts. It uses mathematical formulas to give you the value of expected losses associated with a particular risk, based on:

  • the asset value
  • the frequency of risk occurrence
  • the probability of associated loss

In an example of server failure, a quantitative assessment would involve looking at:

  • the cost of a server or the revenue it generates
  • how often does the server crash
  • the estimated loss incurred each time it crashed

From these values, you can work out several key calculations:

  • single loss expectancy - costs you would incur if the incident occurs once
  • annual rate of occurrence - how many times a year you can expect this risk to occur
  • annual loss expectancy - the total risk value over the course of a year

Find a formula to calculate annualised loss expectancy.

These monetary results could help you avoid spending too much time and money on reducing negligible risks. For example, if a threat is unlikely to happen or costs little or nothing to remedy, it probably presents a low risk to your business.

However, if a threat to your key IT systems is likely to happen, and could be expensive to fix or likely to affect your business adversely, you should consider it high risk.

You may want to use this risk information to carry out a cost/benefit analysis to determine what level of investment would make risk treatment worthwhile.

Keep in mind that quantitative measures of risk are only meaningful when you have good data. You may not always have the necessary historical data to work out probability and cost estimates on IT-related risks, since they can change very quickly.

Qualitative IT risk assessment

Qualitative risk assessment is opinion-based. It relies on judgment to categorise risks based on probability and impact and uses a rating scale to describe the risks as:

  • low - unlikely to occur or impact your business
  • medium - possible to occur and impact
  • high - likely to occur and impact your business significantly

For example, you might classify as 'high probability' something that you expect to happen several times a year. You do the same for cost/impact in whatever terms seem useful, for example:

  • low - would lose up to half an hour of production
  • medium - would cause complete shutdown for at least three days
  • high - would cause irrevocable loss to the business

With your ratings determined, you can then create a risk assessment matrix to help you categorise the risk level for each risk event. This can, ultimately, help you decide which risks to mitigate using controls, and which to accept or transfer.

Read more about the different ways to evaluate business risks.

Use different types of information in IT risk assessments

Often, it may be best to use a mixed approach to IT risk assessments, combining elements of both quantitative and qualitative analysis.

You can use the quantitative data to assess the value of assets and loss expectancy, but also involve people in your business to gain their expert insight. This may take time and effort, but it can also result in a greater understanding of the risks and better data than each method would provide alone.

The National Cyber Security Centre (NCSC) recommends using a variety of risk information in assessments. Drawing on a wider range of information sources may reveal risks that would otherwise be missed.