Risk Assessment Fundamentals
Organizations in the public and private sectors depend on information systems to successfully carry out their missions and business functions. Information systems can include very diverse entities ranging from office networks, financial and personnel systems to very specialized systems (e.g., weapons systems, telecommunications systems, industrial/process control systems, and environmental control systems). Information systems are subject to serious threats that can have adverse effects on organizational operations (i.e., missions, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation by exploiting both known and unknown vulnerabilities to compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. Threats to information and information systems can include purposeful attacks, environmental disruptions, and human/machine errors and result in great harm to the national and economic security interests of the United States. Therefore, it is imperative that leaders and managers at all levels understand their responsibilities and are held accountable for managing information security risk—that is, the risk associated with the operation and use of information systems that support the missions and business functions of their organizations. Risk assessment is one of the key components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments identify, prioritize, and estimate risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of
The purpose of the risk assessment component is to identify:
(i) threats to organizations or threats directed through organizations against other organizations or the Nation;
(ii) vulnerabilities internal and external to organizations;
(iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
(iv) likelihood that harm will occur.
The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring). Risk assessments can be conducted at all three tiers in the risk management hierarchy—including Tier 1 (organization level), Tier 2 (mission/business process level), and Tier 3 (information system level). At Tier 1 and Tier 2, risk assessments are used to evaluate, for example, systemic information security-related risks associated with organizational governance and management activities, mission/business processes or enterprise architecture, and funding of information security programs. At Tier 3, risk assessments are used to effectively support the implementation of the Risk Management Framework (i.e., security categorization, security control selection, security control implementation, security control assessment, information system authorization, and monitoring).
Scope and Applicability
Risk assessments are required for effective risk management and to inform decision making at all three tiers in the risk management hierarchy including the organization level, mission/business process level, and information system level. Furthermore, risk assessments are enduring and should be conducted throughout the system development life cycle, from pre-system acquisition (i.e., material solution analysis and technology development), through system acquisition (i.e., engineering/manufacturing development and production/deployment), and on into sustainment (i.e., operations/support). There are no specific requirements with regard to:
(i) the formality, rigor, or level of detail risk assessments;
(ii) the methodologies, tools, and techniques used to conduct such risk assessments; or
(iii) the format and content of assessment results and any associated reporting mechanisms.
Therefore, organizations have maximum flexibility on how risk assessments are conducted and employed and are encouraged to apply the guidance in this document in the manner that most effectively and cost-effectively provides the information necessary for informed risk management decisions. Organizations are also cautioned that risk assessments are often not precise instruments of measurement and reflect:
(i) the limitations of specific assessment methodologies, tools, and techniques employed;
(ii) the subjectivity, quality, and trustworthiness of the data used;
(iii) the interpretation of assessment results; and
(iv) the skills and expertise of those individuals or groups conducting the assessments.
Since cost, timeliness, and ease of use are a few of the many important factors in the application of risk assessments, organizations should attempt to reduce the complexity of risk assessments and maximize the reuse of assessment results by sharing risk-related information across their enterprises, whenever possible.
Risk assessment is a key component of a holistic, organization-wide risk management process as defined in NIST Special Publication 800- 39, Managing Information Security Risk: Organization, Mission, and Information System View. Risk management processes include:
(i) establishing the context for risk management activities to be carried out (i.e., risk framing);
(ii) assessing risk;
(iii) responding to risk; and
(iv) monitoring risk.
The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made. The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions. The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations.
The second component of risk management addresses how organizations assess risk within the context of the organizational risk frame. The purpose of the risk assessment component is to identify:
(i) threats to organizations (i.e., operations, assets, or individuals) or threats directed through organizations against other organizations or the Nation;
(ii) vulnerabilities internal and
external to organizations;
(iii) the harm (i.e., adverse impact) to organizations that may occur given the potential for threats exploiting vulnerabilities; and
(iv) the likelihood that harm will occur.
The end result is a determination of risk (i.e., the degree of harm and likelihood of harm occurring).
The third component of risk management addresses how organizations respond to risk once that risk is determined based on the results of risk assessments. The purpose of the risk response component is to provide a consistent, organization-wide response to risk in accordance with the organizational risk frame by:
(i) developing alternative courses of action for responding to risk;
(ii) evaluating the alternative courses of action;
(iii) determining appropriate courses of action consistent with organizational risk tolerance; and
(iv) implementing risk responses based on selected courses of action.
The fourth component of risk management addresses how organizations monitor risk over time. The purpose of the risk monitoring component is to:
(i) verify that planned risk responses are implemented and information security requirements derived from and traceable to organizational missions/business functions, federal legislation, directives, regulations, policies, standards, and guidelines are satisfied;
(ii) determine the ongoing effectiveness of risk response measures following implementation; and
(iii) identify risk-impacting changes to organizational information systems and the environments in which the systems operate.
The risk assessment component of risk management—providing a step-by-step process on how to prepare for risk assessments, how to conduct risk assessments, and how to maintain the currency of risk assessments over time. The risk framing step in the risk management process described above, provides essential information to organizations when preparing for risk assessments. The risk monitoring step in the risk management process also provides important information to organizations when updating their risk assessments.
Well-designed and well-executed risk assessments can be used to effectively analyze and respond to risks from a complex and sophisticated threat space and subsequently monitor those risks over time. Unlike risk assessments that focus exclusively on information systems, the process described in this publication focuses on mission and business impacts and the associated risk to organizations. Risk assessments can support a wide variety of risk-based decisions by organizational officials across all three tiers in the risk management hierarchy including:
- Determination of organization-level risks, that is, risks that are common to the organization’s core missions or business functions, mission/business processes, mission/business segments, common infrastructure/support services, or information systems;
- Definition of an information security architecture (embedded within enterprise architecture);
- Definition of interconnection requirements for information systems (including systems supporting mission/business processes and common infrastructure/support services;
- Design of security solutions for information systems and environments of operation including selection of security controls, information technology products, suppliers, and contractors to support core missions/business functions or provide common infrastructure/support services;
- Authorization (or denial of authorization) to operate information systems or to use security controls inherited by those systems (i.e., common controls);
- Modification of missions/business functions and/or mission/business processes permanently, or for a specific time frame (e.g., until a newly discovered vulnerability or attack is addressed);
- Implementation of security solutions (e.g., whether specific information technology products or configurations for those products meet established requirements); and
- Operation and maintenance of security solutions (e.g., continuous monitoring strategies and programs, ongoing risk assessments and authorizations).
Risk Assessment Concepts
Risk is a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:
(i) the adverse impacts that would arise if the circumstance or event occurs; and
(ii) the likelihood of occurrence. Information security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information
systems and reflect the potential adverse impacts to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
A risk assessment is the process of identifying, prioritizing, and estimating information security risks. Assessing information security risk requires the careful analysis of threat and
vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
Any assessment of risk typically includes:
(i) an explicit risk model, defining key terms and assessable risk factors and the relationships among the factors;
(ii) an assessment approach, specifying the range of values those risk factors can assume during the assessment; and
(iii) an analysis approach, specifying how values of those factors are functionally combined to evaluate risk.
Risk factors are characteristics used in risk models as inputs to determining levels of risk in risk assessments. Risk factors are also used extensively in risk communications to highlight the various aspects of problem domains that strongly affect the levels of risk in particular situations, circumstances, or contexts. Typical risk factors include, for example, threat, vulnerability, impact, likelihood, and predisposing condition. Risk factors can be further decomposed into more detailed characteristics (e.g., threats decomposed into threat sources and threat events).
A risk assessment methodology is a risk assessment process, together with a risk model, assessment approach, and analysis approach. Risk assessment methodologies are defined by organizations and are a component of the risk management strategy developed during the risk framing step of the risk management process. Organizations can use a single risk assessment methodology or can employ multiple risk assessment methodologies, with the selection of a specific methodology depending on:
(i) the criticality and/or sensitivity of the organization’s core missions and business functions including the supporting mission/business processes and information systems;
(ii) the maturity of the organization’s mission/business processes (by enterprise architecture segments); or
(iii) the stage of information systems in the system development life cycle.
By making explicit the risk model, the assessment approach, and the analysis approach used, and requiring as part of the assessment process, a rationale for the assessed values of risk factors, organizations can increase the reproducibility and repeatability of their risk assessments.
Risk models define the key terms used in risk assessments including the risk factors to be assessed and the relationships among those factors. These definitions are important for organizations to document prior to conducting risk assessments because the assessments rely upon well-defined attributes of threats, vulnerabilities, and other risk factors to effectively determine risk.
A threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. There are two aspects:
(i) threat sources; and
(ii) threat events.
A threat source is an actor (causal agent) with the intent and method targeted at the exploitation of a vulnerability or a situation and method that may accidentally exploit a vulnerability. In general, types of threat sources include:
(i) hostile cyber/physical attacks;
(ii) human errors of omission or commission;
(iii) structural failures of organization-controlled resources (e.g., hardware, software, environmental controls); and (iv) natural and man-made disasters, accidents, and failures beyond the control of the organization.
A threat event is an event or situation initiated or caused by a threat source that has the potential for causing adverse impact. Threat events for cyber attacks are typically characterized by the tactics, techniques, and procedures (TTPs) employed by adversaries.
Risk models can provide useful distinctions between threat sources and threat events. Various taxonomies of threat sources have been developed. A typical taxonomy of threat sources uses the type of adverse impacts as an organizing principle. Multiple threat sources can initiate or cause the same threat event—for example, a key provisioning server can be taken off-line by a denial-of-service attack, a deliberate act by a malicious system administrator, an administrative error, a hardware fault, or a power failure. Risk models differ in the degree of detail and complexity with which threat events are identified. When threat events are identified with great specificity, threat scenarios can be modeled and analyzed.
Vulnerabilities and Predisposing Conditions
A vulnerability is an inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source. Most information system vulnerabilities can be identified with security controls either which have not been applied or which, while applied, retain some weakness. However, vulnerabilities need not be identified only within information systems. Viewing information systems in a broader context, vulnerabilities can be found in organizational governance structures (e.g., lack of effective risk management strategies, poor intra-agency communications, inconsistent decisions about relative priorities of core missions and business functions). Vulnerabilities can also be found in external relationships (e.g., dependencies on energy sources, the supply chain, technology, and telecommunications providers), mission/business processes (e.g., poorly defined processes or processes that are not risk-aware), and enterprise and information security architectures (e.g., poor architectural decisions resulting in lack of diversity or resiliency in organizational information systems).
In addition to the vulnerabilities described above, organizations also consider predisposing conditions. A predisposing condition is a condition that exists within an organization, a mission or business process, enterprise architecture, information system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation. Predisposing conditions include, for example, the location of a facility in a hurricane- or flood-prone region (increasing the likelihood of exposure to hurricanes or floods) or a stand-alone information system with no external network connectivity (decreasing the likelihood of exposure to a network-based cyber attack). Vulnerabilities resulting from predisposing conditions that cannot be easily corrected could include, for example, gaps in contingency plans or weaknesses/deficiencies in information system backup and failover mechanisms. In all cases, these types of vulnerabilities create a predisposition toward threat events having adverse impacts on organizations. Vulnerabilities (including those attributed to predisposing conditions) are part of the overall security state of organizational information systems and environments of operation which can affect the likelihood of a threat event’s occurrence.
The level of impact from a threat event is the magnitude of harm that can be expected to result from the unauthorized disclosure, modification, disruption, destruction, or loss of information and/or denial of service. Such adverse impact, and hence harm, can be experienced by a variety of organizational and non-organizational stakeholders including, for example, heads of agencies, mission and business owners, information owners/stewards, mission/business process owners, information system owners, or individuals/groups in the public or private sectors relying on the organization—in essence, anyone with a vested interest in the organization’s operations, assets, or individuals, including other organizations in partnership with the organization, or the Nation (for critical infrastructure-related considerations).
As noted above, risk is the combination of the likelihood of a threat event’s occurrence and its potential adverse impact. This definition accommodates many types of adverse impacts at all tiers in the risk management hierarchy described in NIST Special Publication 800-39 (e.g., damage to image or reputation of the organization or financial loss at Tier 1; inability to successfully execute a specific mission/business process at Tier 2; or the resources expended in responding to an information system incident at Tier 3). It also accommodates relationships among impacts (e.g., loss of current or future mission/business effectiveness due to the loss of data confidentiality; loss of confidence in critical information due to loss of data or system integrity; or unavailability or degradation of information or information systems). This broad definition also allows risk to be represented as a single value or as a vector in which different types of impacts are assessed separately. For purposes of risk communication, risk is generally aggregated according to the types of adverse impacts (and possibly the time frames in which those impacts are likely to be experienced).
With regard to the aggregation of risk, there are several issues that organizations may consider. In general, for individual discrete risks (e.g., the risk associated with a single information system supporting a well-defined mission/business process), the worst-case impact establishes an upper bound for the overall risk to organizational operations and assets.24 In more complex situations involving multiple information systems and multiple mission/business processes with specified relationships and dependencies among those systems and processes, organizations may need to consider risk aggregation. Risk aggregation, conducted primarily at Tier 1 and occasionally at Tier 2, addresses the overall risk to organizational operations and assets, given the risk attributed to each of the discrete risks. There may be situations when organizations desire to assess risk at the organization level when multiple risks materialize concurrently or near the same time. When two or more risks materialize at or near the same time, there is the possibility that the amount of overall risk incurred is beyond the risk capacity of the organization, and therefore the overall impact to organizational operations and assets (i.e., mission/business impact) goes beyond that which was originally assessed for each specific risk.
When assessing risk for potential aggregation issues, organizations consider the relationship among various discrete risks. For example is there a cause and effect relationship so that if one risk materializes, another risk is more likely (or less likely) to materialize? If there is a direct or inverse relationship among discrete risks, then the risks can be coupled (in a qualitative sense) or correlated (in a quantitative sense) either in a positive or negative manner. Risk coupling or correlation (i.e., finding relationships among risks that increase or decrease the likelihood of any specific risk materializing) can be done at Tiers 1, 2, or 3.
Risk, and its contributing factors, can be assessed in a variety of ways, including quantitatively, qualitatively, or semi-quantitatively. Each risk assessment approach considered by organizations has advantages and disadvantages. A preferred approach (or situation-specific set of approaches) can be selected based on organizational culture and, in particular, attitudes toward the concepts of uncertainty and risk communication. Quantitative assessments typically employ a set of methods, principles, or rules for assessing risk based on the use of numbers—where the meanings and proportionality of values are maintained inside and outside the context of the assessment. This type of assessment most effectively supports cost-benefit analyses of alternative risk responses or courses of action. However, the meaning of the quantitative results may not always be clear and may require a qualitative interpretation. For example, organizations may ask if the numbers obtained in the risk assessments are good or bad or if the differences in the obtained values are meaningful or insignificant. Additionally, the rigor of quantification is significantly lessened when subjective determinations are buried within the quantitative assessments, or when significant uncertainty surrounds the determination of values. The benefits of quantitative assessments (in terms of the rigor, repeatability, and reproducibility of assessment results) can, in some cases, be outweighed by the costs (in terms of the expert time and effort and the possible deployment and use of tools required to make such assessments).
In contrast to quantitative assessments, qualitative assessments typically employ a set of methods, principles, or rules for assessing risk based on non-numerical categories or levels (e.g., very low, low, moderate, high, very high). This type of assessment supports to a much higher degree, risk communication in conveying assessment results to decision makers. However, the range of values in qualitative assessments is comparatively small in most cases, making the relative prioritization or comparison within the set of reported risks difficult. Additionally, unless each value is very clearly defined or is characterized by meaningful examples, different experts relying on their individual experiences could produce significantly different assessment results. The repeatability and reproducibility of qualitative assessments are increased by the annotation of assessed values (e.g., this value is high because of the following factors) and by using tables or other well-defined functions to combine qualitative values.
Finally, semi-quantitative assessments typically employ a set of methods, principles, or rules for assessing risk that uses bins, scales, or representative numbers whose values and meanings are not maintained in other contexts. This type of assessment can provide the benefits of quantitative and qualitative assessments. The bins (e.g., 0-15, 16-35, 35-70, 71-85, 86-100) or scales (e.g., 1-10) translate easily into qualitative terms that support risk communications for decision makers (e.g., a score of 95 can be interpreted as very high), while also allowing relative comparisons between values in different bins or even within the same bin (e.g., the difference between risks scored 70 and 71 respectively is relatively insignificant, while the difference between risks scored 35 and 70 is relatively significant). The role of expert judgment in assigning values is more evident than in a purely quantitative approach. Moreover, if the scales or sets of bins provide sufficient granularity, relative prioritization among results is better supported than in a purely qualitative approach. As in a quantitative approach, rigor is significantly lessened when subjective determinations are buried within assessments, or when significant uncertainty surrounds a determination of value. As with the non-numeric categories or levels used in a well-founded qualitative approach, each bin or range of values needs to be clearly defined and/or characterized by meaningful examples.
Analysis approaches differ with respect to the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated. An analysis approach can be:
(i) threat-oriented, starting with the identification of threat sources and threat events;
(ii) asset/impact-oriented, starting with the identification of high-value assets or highly adverse impacts; or
(iii) vulnerability-oriented, starting with a set of predisposing conditions or exploitable weaknesses/deficiencies in organizational information systems or the environments in which the systems operate.
Each orientation can potentially fail to notice (and hence determine) risks.Therefore, identification of risks from a second orientation (e.g., graphbased analysis, rigorous analysis) can improve the rigor and effectiveness of the analysis.
Graph-based analyses (e.g., functional dependency network analysis, attack tree analysis for adversarial threats, fault tree analysis for other types of threats) provide a way to use highly specific threat events to generate threat scenarios. Graph-based analyses can also provide ways to account for situations in which one event can change the likelihood of occurrence for another event. Attack and fault tree analyses, in particular, can generate multiple threat scenarios that are nearly alike, for purposes of determining the levels of risk. With automated modeling and simulation, large numbers of threat scenarios (e.g., attack and/or fault trees, traversals of functional dependency networks) can be generated. Thus, graph-based analysis approaches include ways to define a cut set or reasonable subset of all possible threat scenarios.
A rigorous analysis approach provides an effective way to account for the many-to-many relationships between:
(i) threat sources and threat events (i.e., a single threat event can be caused by multiple threat sources and a single threat source can cause multiple threat events);
(ii) threat events and vulnerabilities (i.e., a single threat event can exploit multiple vulnerabilities and a single vulnerability can be exploited by multiple threat events); and
(iii) threat events and impacts/assets (i.e., a single threat event can affect multiple assets or have multiple impacts, and a single asset can be affected by multiple threat events).
A rigorous analysis approach also provides a way to account for whether, in the time frame for which risks are assessed, a specific adverse impact could occur (or a specific asset could be harmed) at most once, or perhaps repeatedly, depending on the nature of the impacts and on how organizations (including mission/business processes or information systems) recover from such adverse impacts.
Organizations can differ in the risk models, assessment approaches, and analysis approaches that they prefer for a variety of reasons. For example, cultural issues can predispose organizations to employ risk models which assume a constant value for one or more possible risk factors, so that some factors that are present in other organizations’ models are not represented. Culture can also predispose organizations to employ risk models that require detailed analyses using quantitative assessments (e.g., nuclear safety). Alternately, organizations may prefer qualitative or semi-quantitative assessment approaches. In addition to differences among organizations, differences can also exist within organizations. For example, organizations can use coarse or high-level risk models early in the system development life cycle to select security controls, and subsequently, more detailed models to assess risk to given missions or business functions. Organizational risk frames determine which risk models, assessment approaches, and analysis approaches to use under varying circumstances.
Application of Risk Assessments
As stated previously, risk assessments can be conducted at all three tiers in the risk management hierarchy—organization level, mission/business process level, and information system level. Traditional risk assessments generally focus at the Tier 3 tactical level (i.e., information system level) and as a result, tend to overlook other significant risk factors that may be more appropriately assessed at the Tier 1 or Tier 2 strategic levels.
Risk assessments support organizational risk response decisions at the different tiers of the risk management hierarchy. At Tier 1, risk assessments can affect, for example:
(i) organization-wide information security programs, policies, procedures, and guidance;
(ii) the types of appropriate risk responses (i.e., risk acceptance, avoidance, mitigation, sharing, or transfer);
(iii) investment decisions for information technologies/systems;
(v) minimum organization-wide security controls;
(vi) conformance to enterprise/security architectures; and
(vii) monitoring strategies and ongoing authorizations of information systems and common controls.
At Tier 2, risk assessments can affect, for example:
(i) enterprise architecture/security architecture design decisions;
(ii) the selection of common controls;
(iii) the selection of suppliers, services, and contractors to support core missions and business functions;
(iv) the development of risk-aware mission/business processes; and
(v) the interpretation of organizational security policies with respect to mission/business processes and operating environments.
Finally, at Tier 3, risk assessments can affect, for example:
(i) design decisions (including the selection, tailoring, and supplementation of security controls and the selection of information technology products for organizational information systems);
(ii) implementation decisions (including whether specific information technology products or product configurations meet security control requirements); and
(iii) operational decisions (including the requisite level of monitoring activity, the frequency of ongoing information system authorizations, and system maintenance decisions).
Risk assessments can also inform other risk management activities across the three tiers that are not security-related. For example, at Tier 1, risk assessments can provide useful inputs to:
(i) operational risk determinations (including business continuity for organizational missions and business functions);
(ii) organizational risk determinations (including financial risk, compliance risk, regulatory risk, reputation risk, and cumulative acquisition risk across large-scale projects); and
(iii) multiple-impact risk (including supply chain risk and risk involving partnerships).
At Tier 2, risk assessments can provide the same useful inputs to operational, organizational, and multiple-impact risks, specific to mission/business processes. At Tier 3, risk assessments can affect cost, schedule, and performance risks associated with information systems. It is important to note that information security risk contributes to non-security risks at each tier. Thus, the results of a risk assessment at a given tier serve as inputs to, and are aligned with, nonsecurity risk management activities at that tier. In addition, the results of risk assessments at lower tiers serve as inputs to risk assessments at higher tiers. Risks arise on different time scales, and risk response decisions can take effect in different timeframes. Therefore, risks are managed in different timeframes. In general, the risk management process moves most slowly at Tier 1 and most quickly at Tier 3. However, while Tier 1 decisions are often embodied in policy, which changes slowly, Tier 1 risks can lead to situations in which new vulnerabilities or cyber attacks are discovered and the implementation of an organization-wide mandate for mitigation requires immediate action.
Risk Assessments at the Organizational Tier
At Tier 1, risk assessments support organizational strategies, policies, guidance, and processes for managing risk. Risk assessments conducted at Tier 1 focus on organizational operations, assets, and individuals—comprehensive across mission/business lines. Organization-wide assessments of risk can be based solely on the assumptions, constraints, risk tolerances, priorities, and trade-offs established in the risk framing step (i.e., derived primarily from Tier 1 activities). However, more realistic and meaningful organization-wide risk assessments are based on assessments conducted across multiple mission/business lines (i.e., derived primarily from Tier 2 activities). The ability of organizations to use Tier 2 risk assessments as inputs to Tier 1 risk assessments is shaped by such considerations as:
(i) the similarity of organizational missions/business functions; and
(ii) the degree of autonomy that organizational entities or subcomponents have with respect to parent organizations.
Centralized organizations with similar missions/business functions which take a common approach to all types of risk may choose to consolidate risk-related information into a comprehensive risk dashboard. Conversely, expert analysis may be needed to normalize the results from Tier 2 risk assessments in decentralized organizations with varied missions/business functions. Finally, risk assessments at Tier 1 take into consideration the identification of mission essential functions from the organization’s Continuity of Operations (COOP) plan when determining the contribution of Tier 2 risks. Risk assessment results at Tier 1 are communicated to organizational entities at Tier 2 and Tier 3.
Risk Assessments at the Mission/Business Process Tier
At Tier 2, risk assessments support the determination of mission/business process protection and resiliency requirements, and the allocation of those requirements to the enterprise architecture as part of mission/business segments (that support mission/business processes). This allocation is accomplished through an information security architecture embedded within the enterprise architecture. Tier 2 risk assessments also inform and guide decisions on whether, how, and when to use information systems for specific mission/business processes, in particular for alternative mission/business processing in the face of compromised information systems. Risk management and associated risk assessment activities at Tier 2 are closely aligned with the development of Business Continuity Plans (BCPs). Tier 2 risk assessments focus on mission/business segments, which typically include multiple information systems, with varying degrees of criticality and/or sensitivity with regard to core organizational missions/business functions. Risk assessment results at Tier 2 are communicated to and shared with organizational entities at Tier 3 to help inform and guide the allocation of security controls to information systems and the environments in which those systems operate. Tier 2 risk assessments also provide ongoing assessments of the security posture of organizational mission/business processes. Risk assessment results at Tier 2 are communicated to organizational entities at Tier 1 and Tier 3.
Risk Assessments at the Information System Tier
At Tier 3, the system development life cycle determines the purpose and defines the scope of risk assessments. Initial risk assessments evaluate the anticipated vulnerabilities and predisposing conditions affecting the confidentiality, integrity, and availability of organizational information systems in the context of the planned operational environment. Initial risk assessments conclude with recommendations for appropriate security controls—permitting mission/business owners to make the final decisions about the security controls necessary based on the security categorization and threat environment. Risk assessments are also conducted to assess information systems at later phases in the life cycle and update Risk Assessment Reports (RARs) from earlier phases. These reports for as-built or as-deployed information systems typically include descriptions of known vulnerabilities in the systems, an assessment of the risk posed by each, and corrective actions that can be taken to mitigate the risks. The reports also include an assessment of the overall risk to the organization and the information contained in the information systems by operating the systems as evaluated. Risk assessment results at Tier 3 are communicated to organizational entities at Tier 1 and Tier 2.
Risk assessments can also be conducted at each step in the Risk Management Framework (RMF), as defined in NIST Special Publication 800-37. The RMF, in its system life cycle approach, operates primarily at Tier 3 in the risk management hierarchy with some application at Tier 2, for example, in the selection of common controls. Risk assessments can be tailored to each step in the RMF as reflected in the purpose and scope of the assessments. The benefit of risk assessments conducted as part of the RMF can be realized from both initial assessments and from updated assessments, as described below.
Organizations can use initial risk assessments to inform the worst-case impact analysis required to categorize organizational information and information systems as a preparatory step to security control selection. Worst-case impact analyses from risk assessments can be used to define an upper bound on risk to organizational operations and assets, individuals, other organizations, and the Nation (i.e., for discrete risks without consideration for potential of risk aggregation).
Security Control Selection
Organizations can use risk assessments to inform and guide the selection of security controls for organizational information systems and environments of operation. Initial risk assessments can help organizations:
(i) select appropriate baseline security controls;
(ii) apply appropriate tailoring guidance to adjust the controls based on specific mission/business requirements, assumptions, constraints, priorities, trade-offs, or other organization-defined conditions; and
(iii) supplement the controls based on specific and credible threat information.
Threat data from risk assessments can provide critical information on adversary capabilities, intent, and targeting which may affect the decisions by organizations regarding the selection of additional security controls including the associated costs and benefits. Organizations also consider risk assessment results when selecting common controls (typically a Tier 2 activity) that provide one or more potential single points of failure because of security capabilities inherited by multiple information systems. Updated risk assessments can be used by organizations to modify current security control selections based on the most recent threat and vulnerability data available.
Security Control Implementation
Organizations can use the results from initial risk assessments to determine the most effective implementation of selected security controls (e.g., there may be potential inherent vulnerabilities associated with one type of security control implementation versus another). Certain information technology products, system components, or architectural configurations may be more susceptible to certain types of threat sources and are subsequently addressed during control development and implementation. In addition, the strength of security mechanisms employed by organizations can reflect threat data from risk assessments, thereby significantly increasing the overall resilience of organizational information systems. Individual configuration settings for information technology products and system components can also eliminate attack vectors determined during the analysis of threat events documented in the most current risk assessments. Initial risk assessments can also be employed to help inform decisions regarding the cost, benefit, and/or risk trade-offs in using one technology over another or how security controls are effectively implemented in particular environments of operation (e.g., when certain technologies are unavailable and compensating controls must be used). Updated risk assessments can be used to help determine if current security control deployments remain effective given changes to the threat space over time.
Security Control Assessments
Organizations can use the results from security control assessments (documented in security assessment reports) to identify any residual vulnerabilities in organizational information systems and/or the environments in which those systems operate. Partial/full failure of deployed security controls or the complete absence of planned controls represents potential vulnerabilities that can be exploited by threat sources. Organizations can use the results from initial or updated risk assessments to help determine the severity of such vulnerabilities which in turn, can guide and inform organizational risk responses (e.g., prioritizing vulnerabilities, sequencing risk response activities, establishing milestones for corrective actions). Risk assessments can also be used by organizations to determine the type of security assessments conducted during various phases of the system development life cycle, the frequency of assessments, the level of rigor applied during the assessments, the assessment methods used, and the number of objects assessed.
Organizations can use the results of initial risk assessments and the results from updated risk assessments conducted during the previous steps in the RMF to provide important risk-related information to authorizing officials. The risk responses carried out by organizations based on the risk assessments conducted, result in known security states of organizational information systems and environments of operation. The residual risks determined from the risk assessments provide useful information needed by authorizing officials to make credible risk-based decisions on whether to operate those systems in the current security state or take actions to provide additional individuals, other organizations, or the Nation.
Security Control Monitoring
Organizations can update risk assessments on an ongoing basis by monitoring at an organization-defined frequency:
(i) the effectiveness of security controls;
(ii) changes to information systems and environments of operation; and
(iii) compliance to federal legislation, regulations, directives, policies, standards, and guidance.
The results from ongoing monitoring can provide information on new vulnerabilities which can be addressed through the risk assessment process in the same manner as described above. This illustrates the importance of employing risk assessments on an ongoing basis throughout the life cycle of the information systems that support core organizational missions/business functions.
Risk Communications and Information Sharing
In addition to preparing, conducting, and maintaining risk assessments, the manner and form in which risks are communicated across organizations is an expression of organizational culture. To be effective, communication of information security risks and related information needs to be consistent with other forms of risk communication within organizations. Similarly, the extent and form of risk-related information sharing is an expression of organizational culture, as well as legal, regulatory, and contractual constraints. To maximize the benefit of risk assessments, organizations should establish policies, procedures, and implementing mechanisms (including, for example, Security Content Automation Protocols), to ensure that appropriate information produced during risk assessments is effectively communicated and shared across all three tiers in the Risk Management Hierarchy.