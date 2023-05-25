Companies use cybersecurity risk assessments to identify threats and vulnerabilities, estimate their potential impacts and prioritize the most critical risks.

How a company conducts a risk assessment will depend on the priorities, scope and risk tolerance defined in the framing step. Most assessments evaluate the following:

Threats are people and events that could disrupt an IT system, steal data or otherwise compromise information security. Threats include intentional cyberattacks (like ransomware or phishing) and employee mistakes (like storing confidential information in unsecured databases). Natural disasters, like earthquakes and hurricanes, can also threaten information systems.

Vulnerabilities are the flaws or weaknesses in a system, process or asset that threats can exploit to do damage. Vulnerabilities can be technical, like a misconfigured firewall that lets malware into a network or an operating system bug that hackers can use to take over a device remotely. Vulnerabilities can also arise from weak policies and processes, like a lax access control policy that lets people access more assets than they need.

Impacts are what a threat can do to a company. A cyberthreat could disrupt critical services, leading to downtime and lost revenue. Hackers could steal or destroy sensitive data. Scammers could use business email compromise attacks to trick employees into sending them money.

The impacts of a threat can spread beyond the organization. Customers who have their personally identifiable information stolen during a data breach are also victims of the attack.

Because it can be hard to quantify the exact impact of a cybersecurity threat, companies often use qualitative data like historical trends and stories of attacks on other organizations to estimate impact. Asset criticality is also a factor: The more critical an asset is, the more costly attacks against it will be.

Risk measures how likely a potential threat is to affect an organization and how much damage that threat would do. Threats that are likely to happen and likely to cause significant damage are the riskiest, while unlikely threats that would cause minor damage are the least risky.

During risk analysis, companies consider multiple factors to assess how likely a threat is. Existing security controls, the nature of IT vulnerabilities and the kinds of data a company holds can all influence threat likelihood. Even a company's industry can play a role: The X-Force Threat Intelligence Index found that organizations in the manufacturing and finance sectors face more cyberattacks than organizations in transportation and telecommunications.

Risk assessments can draw on internal data sources, like security information and event management (SIEM) systems, and external threat intelligence. They may also look at threats and vulnerabilities in the company's supply chain, as attacks on vendors can affect the company.

By weighing all of these factors, the company can build its risk profile. A risk profile provides a catalog of the company's potential risks, prioritizing them based on criticality level. The riskier a threat is, the more critical it is to the organization.