How Do You Conduct a NIST Risk Assessment?

by Trava, Cyber Risk Management

two monitors with code on them

Learn how to conduct a NIST risk assessment to help you understand the risks your business is facing now, so you can better protect your assets.

Cyber security matters for businesses, no matter what size. Small- and medium-sized businesses especially can struggle to implement proper cyber security risk assessment frameworks because the task feels too big or too changeable to stay on top of. But bad actors can use this less-than-ideal security to target these smaller, easier-to-infiltrate businesses. That’s where a trusted cyber security team, like Trava, comes in. With just a little outside guidance from the experts, protecting your company’s IT assets can be straightforward.

In this article, we’ll walk you through the basics of carrying out one of the industry standard risk assessments, part of the NIST risk assessment framework. This will include:

What Are the Steps in a NIST Risk Assessment?

The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce. This institute offers voluntary best practices and a framework for protecting your business from cybersecurity threats. Businesses can use NIST documents to improve their security, but there is no official form to fill out or certification to receive showing your compliance.

Several NIST publications deal with risk assessment guidelines, including:

A risk assessment is just one part of an overall risk management strategy. There are a variety of approaches recommended by NIST for conducting this assessment, and how it can be integrated into each step of the risk management framework.

According to NIST 800-30, the basic steps for conducting a risk assessment are:

  1. Identify Threat Sources and Events

  2. Identify Vulnerabilities and Predisposing Conditions

  3. Determine the Likelihood of Occurrence

  4. Determine the Magnitude of Impact

  5. Determine Risk

Let’s break down each of these steps into more specific parts, and see how they can be applied within an organization. NIST Special Publication 800-30 gives templated tables for recording each of these steps in the publication appendices when you are ready to carry out your own risk assessment.

  1. Identify Sources for Threats

2. Identify Vulnerabilities

3. Determine the Likelihood of Occurrence

4. Determine the Magnitude of Impact

5. Determine Risk

Examples of How You Perform a Risk Assessment Procedure

In the NIST Special Publication 800-30, Table I-5 is provided to record the final risk assessment for adversarial risk.

In a hypothetical medium sized software company, this completed chart might look like:

  1. Threat Event - Customer credit card details stolen

  2. Threat Sources - Hacker

  3. Threat Source Characteristics: Capacity - Known previous success

  4. Threat Source Characteristics: Intent - Access credit card data for making illegal purchases

  5. Threat Source Characteristics: Targeting - High likelihood, have targeted other similar companies in the same industry recently

  6. Relevance - High, hackers recently successfully carried out this attack with other companies using the same encryption protection we use.

  7. Likelihood of Attack Initiation - 80% based on comparison with other similar companies

  8. Vulnerabilities - Protection we have in place has a weakness vulnerable to these types of attacks

  9. Severity - High, customers will lose trust in our brand and potential lawsuits for customer financial loss

  10. Likelihood Initiated Attack Succeeds - 50% based on cyber security assessment results

  11. Overall likelihood - 40% (and 80% likelihood of an attack with a 50% chance of success)

  12. Level of Impact - High

  13. Risk - Very high, addressing this risk should be prioritized

Conducting Risk Assessments is Easy with Trava Security

At Trava Security, we know cyber security can feel like a daunting task. That’s why we provide unique solutions, tailor made for your business. We offer support for:

Get your free Cyber Risk Checkup to see where you stand now, then contact us to take your cyber security to the next level!


Get cybersecurity tips, articles, and videos sent straight to your inbox