Practitioners often struggle with linking security threat assessments with risk assessments. Let’s take some time to consider a diagram that brings the two together and then we can highlight some key points.

• Threat analysis should be informed by accurate and timely intelligence about threats and hazards
• Analysing opportunity is a critical consideration when undertaking the threat analysis
• The vulnerability analysis is a critical element of the threat assessments—we need to be very clear what the threat is targeting, otherwise the threat assessment may lack validity
• Analysing the combination of intent, capability and opportunity enables us to determine the likelihood of the threat occurring
• The combination of the likelihood of the threat occurring and the analysis of the asset vulnerability gives us the likelihood of the threat being successful
• The combination of the likelihood of success and the asset criticality give us the threat rating.

A risk statement should consist of two key elements:

• A disruptive event
• An outcome that disrupts important assets that may, in turn, disrupt your ability to achieve your objectives

A risk event may have several different outcomes meaning the combination of risk event and outcomes leads to different risks that may have different controls and risk ratings.

The risk likelihood analysis is influenced by two key elements:

• The likelihood of the threat occurring
• The risk event (as opposed to the risk consequence)

The risk consequence analysis is influenced by:

• The risk outcome
• Risk tolerance statements that describe the risk tolerance pertaining to a disruption to the asset under threat
• Asset vulnerability and criticality

The risk rating is influence by both the likelihood and consequence ratings of the risk, as well as other factors that may influence the management of the risk, including:

• The time available to implement risk controls
• The budget available to spend on risk controls—budgets often lack any contingency for additional spending requirements identified during the risk assessment
• The resources available to actually manage the risk.

During the risk evaluation process, you should consider:

• Risk appetite – what level of risks are acceptable given the risk controls
• Risk tolerance – what losses are acceptable for assets in approved risk categories
• Opportunity – To what extent does the opportunity in accepting the risk drive the risk management approach
• Exposure – when managing the risk, to what extent is the organisation or executive exposed to sanctions or reputational damage due to:
  • Failing to comply with legislative requirements
  • Failing to implement and adhere to processes that can withstand external scrutiny.

There can be several ways to treat risks, some of which may include:

• Treat – risks can be managed using agreed, budgeted and approved risk mitigation treatments
• Reduce likelihood – risk treatment strategies may focus on reducing the likelihood of the risk event occurring, with treatments potentially being directed at reducing the likelihood of the threat occurring
• Reduce consequence – risk treatments may focus on minimising the disruption resulting from the risk event occurring
• Terminate – decisions may be made to cancel the activity for which the threat and risk are focused
• Accept – the opportunity may be so significant that the decision is made to accept the risk and ensure the realisation of the benefit in doing so
• Transfer and track – the risk may be transferred to another entity and tracked by the transferring entity to ensure the ongoing management of that risk—to prevent a recurrence of the risk in the original entity.