Cyber Risk Assessment: A Guide with the Complete Checklist

Cybercriminals will steal an estimated 33 billion records in 2023. That’s according to a 2018 study from Juniper Research. The compares with 12 billion records Juniper expects to be swiped in 2018. Records include personal information you share with various entities. It might include your name, address, credit card information, or Social Security number,” according to Norton by Symantec.

The news is unfortunate; everyone knows that the risk of cyber attacks, data leaks, and security breaches are growing, but the estimated rate is alarming. According to the above estimate, cyber criminals will steal 21 billion more records in 2023 than the stolen records in 2018, showing a 175% increase in 5 years.

With the growing risk of cyber attacks comes the dire need of assessing every organization’s security posture, i.e., doing a cyber risk assessment. A cyber risk assessment helps assess potential risks and mitigate them for improved security. However, how to perform a cyber risk assessment? Let’s check in detail.

What is Cyber Risk Assessment?

Cyber risk assessment — also known as cybersecurity risk assessment — is the process of identifying and assessing cybersecurity risks to understand risks, manage potential threats, and implement measures to harden the security.

Without a cyber risk assessment, your organization cannot confirm its defenses, and the executives or decision-makers cannot make the best decisions about improving security infrastructure. After all, it is impossible to protect anything from an unknown danger without knowing its strengths and weaknesses. And if your organization experiences a cyberattack or data breach, it may not ever recover from the security incident, thanks to the penalties and other costs.

For instance, Equifax — one of the three largest credit bureaus in the US — was hacked in September 2017. The attackers stole the personal records of more than 147 million citizens of the US. As a result, Equifax lost more than US$650 million to pay its consumers in the largest-ever data breach settlement. That’s not all; Equifax lost a lot more due to legal costs, penalties, and system upgrades. It proves as a solid example for every organization to do a cyber risk assessment.

Steps to do Cyber Risk Assessment

Since it’s clear that every organization must regularly perform cybersecurity risk assessment, let’s check the step-by-step process of doing such an assessment.


Step 1: Identify the Company Assets

The first step is to find, identify, and scope the assets in your organization. These assets can be any valuable information or resource such as client information, hardware and software, intellectual property, proprietary information, etc.

After identifying the assets, you must prioritize them per their importance. If a resource is valuable for your organization, it will be valuable for cybercriminals, i.e., it has a higher risk of getting compromised or stolen, so it has priority.

Step 2: Find Potential Consequences

The next step is to determine the consequences for a compromised or stolen asset seeing its importance for the organization. A potential consequence can be financial loss and any other impact of the given asset to your organization.

Step 3: Identify Potential Threats

The third step is to identify the potential threats to your organization’s assets given their importance and priority. A threat is any element that may assist the cybercriminals in breaching your organization’s security, getting access to your assets, and harming or stealing them in any manner — online or offline.

Step 4: Find Potential Vulnerabilities

The next step is to look for the potential vulnerabilities which attackers may harness to launch a threat and breach your organization’s security. A weakness or vulnerability is an issue or weak spot in your organization’s security posture. For example, the common list of vulnerabilities includes physical vulnerabilities (damaged or old equipment), digital vulnerabilities (outdated software and wrong configuration), as well as human factors (careless or untrained employees).

Step 5: Evaluate the Risks Involved

The fifth step for you is to assess the potential risks. The risk is the potential that any threat will help exploit the vulnerabilities in your organization and cause damage or theft of one or more assets of your organization, leading to loss.

The rule of thumb says that risk is equal to asset importance times threat probability times vulnerability probability. For example, if an asset’s priority is high, the threat probability is high, and vulnerability probability is low, then the risk is very high. Of course, if any of the variables in the equation is zero, then the total risk comes down to zero, i.e., no risk, which is impossible in reality.

Step 6: Analyze and Add Controls

The next step is to analyze the security controls kept in place to eliminate or minimize the probability of a threat or vulnerability. These controls can be hardware-based (like biometrics or two-factor authentication), software-based (such as automatic update manager and data leak and intrusion detection and protection system), or physical (like keycard access and security guards).

Step 7: Calculate Likelihood and Impact

The seventh step is to assess the probability and impact of various scenarios on a year-to-year basis for your organization. You must calculate the likelihood of cybersecurity risk to happen, its probability of getting successful, and its impact on your organization per year. Then, you should calculate the best investment your organization must spend to mitigate each of the potential cyber risks.

Step 8: Prioritize Risks per Their Costs

The next step is to determine and prioritize the risks and their mitigation programs per the costs of prevention to the costs of information value. If a risk is high-valued, but its mitigation cost is low, it should be listed at the top of the priority list. This list should determine the next mitigation strategy that your organization must implement to better prepare for the potential cyber risks.

Step 9: Document Results in the Report

The final step is to document your findings in the cyber assessment report. In the best-case scenario, this report will support your organization’s executives or decision-makers to make decisions on budget, policies, procedures, as well as the next steps for improving the security infrastructure of your organization.