10 Nov

7 Identify risks

Next, for each asset you defined in the previous step, you will need to identify risks and classify them according to their severity and vulnerability. In addition, you will need to identify the impact that loss of confidentiality, integrity, and availability may have on the assets.
To begin identifying risks, you should start by identifying actual or potential threats and vulnerabilities for each asset. A threat is something that could cause harm. For example, a threat could be any of the following:

  • A declaration of the intent to inflict harm or misery
  • Potential to cause an unwanted incident, which may result in harm to a system or organization and its assets
  • Intentional, accidental, or man-made act that could inflict harm or an act of God (such as a hurricane or tsunami)

A vulnerability is a source or situation with a potential for harm (for example, a broken window is a vulnerability; it might encourage harm, such as a break in). A risk is a combination of the likelihood and severity or frequency that a specific threat will occur.
What you will need:

  • The list of assets that you defined in the previous step
  • The risk assessment methodology you defined in step 5

For each asset, you should identify vulnerabilities that might exist for that asset and threats that could result from those vulnerabilities. It is often helpful to think about threats and vulnerabilities in pairs, with at least one pair for each asset and possibly multiple pairs for each asset.
For each asset, you will have a threat and vulnerability description and, using your Risk Assessment methodology, you will assign levels of confidentiality, integrity, and availability to that asset.
If you used a table for step 6, you can add this information to that table, as shown in the following example.
In the following example, the Risk Summary column describes the threat and vulnerability. The CIA profile classifies the asset’s confidentiality, integrity, and availability.