by Trava, Cyber Risk Management
Learn how to conduct a NIST risk assessment to help you understand the risks your business is facing now, so you can better protect your assets.
Cyber security matters for businesses, no matter what size. Small- and medium-sized businesses especially can struggle to implement proper cyber security risk assessment frameworks because the task feels too big or too changeable to stay on top of. But bad actors can use this less-than-ideal security to target these smaller, easier-to-infiltrate businesses. That’s where a trusted cyber security team, like Trava, comes in. With just a little outside guidance from the experts, protecting your company’s IT assets can be straightforward.
In this article, we’ll walk you through the basics of carrying out one of the industry standard risk assessments, part of the NIST risk assessment framework. This will include:
Laying out the 5 steps of risk assessment
Exploring what NIST publication is used for risk assessment and where to find it
Looking at a NIST risk assessment example
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce. This institute offers voluntary best practices and a framework for protecting your business from cybersecurity threats. Businesses can use NIST documents to improve their security, but there is no official form to fill out or certification to receive showing your compliance.
Several NIST publications deal with risk assessment guidelines, including:
NIST Special Publication 800-30: Guide for Conducting Risk Assessments
NIST Risk Management Framework 800-37: Risk Management Framework for Information Systems and Organizations; A System Life Cycle Approach for Security and Privacy
NIST Risk Management Framework 800-53: Recommended Security Controls for Federal Information Systems and Organizations
A risk assessment is just one part of an overall risk management strategy. There are a variety of approaches recommended by NIST for conducting this assessment, and how it can be integrated into each step of the risk management framework.
According to NIST 800-30, the basic steps for conducting a risk assessment are:
Identify Threat Sources and Events
Identify Vulnerabilities and Predisposing Conditions
Determine the Likelihood of Occurrence
Determine the Magnitude of Impact
Let’s break down each of these steps into more specific parts, and see how they can be applied within an organization. NIST Special Publication 800-30 gives templated tables for recording each of these steps in the publication appendices when you are ready to carry out your own risk assessment.
Recognize inputs for sources of IT threats. These could include inputs at the level of the organization, the business process, and the information systems.
Find input sources of threats for your business. These could include adversarial, accidental, environmental, or structural threats.
Decide if threat sources are relevant and significant to your company
Make or revise an official record of your decisions. Make sure you include relevant sources of threat and their significance for your organization.
For adversarial threats, include an assessment of the bad actor’s capabilities, intent and targeting as it applies to your business.
For accidental, structural, or environmental threats, include an assessment of the impact each threat source could have on your organization.
Recognize the inputs that contribute to your businesses' vulnerabilities. These could include inputs at the level of the organizational, the business process, and the information systems.
Find which inputs contribute to your business’ vulnerabilities.
List these vulnerabilities on a record. You may need to create one, or you may be updating an existing document.
Assign and record each vulnerability a severity score.
Recognize the inputs that influence how likely a cyber security breach is to occur in your organization. Include possible inputs at the organizational, business process, and information systems levels.
Find the factors most relevant to occurrence likelihood from documentation in previous steps. This includes things like characteristics of threat sources and vulnerabilities.
Determine the likelihood of each threat from both adversarial and non-adversarial events.
Assess how likely each threat is to cause significant organizational harm if it were to occur.
Compare the likelihood of the threat occurring to how much harm it would cause.
Create or update a table to show this comparison.
Recognize the inputs that play a part in determining how much a cyber security breach would affect an organization.
Find the factors that apply to your company.
Document which impacts would affect which assets.
Determine the greatest amount of impact possible on each asset, and record it.
Risk is a combination of your organization's vulnerabilities and the threats it faces. The impacts on your organization by the severity of harm caused by a risk is also relevant.
Update all documents following the steps above to create the most complete picture of each variable.
Determine risk by combining all these factors into one table that can be easily digested for each risk.
In the NIST Special Publication 800-30, Table I-5 is provided to record the final risk assessment for adversarial risk.
In a hypothetical medium sized software company, this completed chart might look like:
Threat Event - Customer credit card details stolen
Threat Sources - Hacker
Threat Source Characteristics: Capacity - Known previous success
Threat Source Characteristics: Intent - Access credit card data for making illegal purchases
Threat Source Characteristics: Targeting - High likelihood, have targeted other similar companies in the same industry recently
Relevance - High, hackers recently successfully carried out this attack with other companies using the same encryption protection we use.
Likelihood of Attack Initiation - 80% based on comparison with other similar companies
Vulnerabilities - Protection we have in place has a weakness vulnerable to these types of attacks
Severity - High, customers will lose trust in our brand and potential lawsuits for customer financial loss
Likelihood Initiated Attack Succeeds - 50% based on cyber security assessment results
Overall likelihood - 40% (and 80% likelihood of an attack with a 50% chance of success)
Level of Impact - High
Risk - Very high, addressing this risk should be prioritized
At Trava Security, we know cyber security can feel like a daunting task. That’s why we provide unique solutions, tailor made for your business. We offer support for:
SaaS Leaders - Let us help protect your work, so you can keep doing the innovative work you’re known for.
Meeting Compliance Standards - Navigating the complex world of compliance for things like SOC 2, ISO 27001, HIPAA takes time and expertise. Let us do the heavy lifting so your IT staff can focus on making your product better.
Managed Service Providers - Offer even more cyber security services to your clients with our Discovery Package.