lktniloc

Risk Assessment – Overview

Published by

lktniloc

on

This is an overview of Risk Assessment. The Risk Assessment methodology will be based on Singapore CSA guide.

CSA Risk Assessment Guide for CII

Firstly, many would wonder why do we do risk assessments? What is the purpose and the objectives that organizations want to achieve through it.

The goal of the Risk Assessment are:

  1. Identify “what could go wrong events”

These events are often the result of malicious/intrusive acts by the adversary that may lead to undesired business consequences.

E.g. For example, you have an internet web application that public users can access, perhaps you may wonder what could go wrong in this situation. The risk assessment will be able to dive down and discover what are the risk associated to such a scenario.

2. Determining the levels of cybersecurity risk that they are exposed to.

A good understanding of the risk levels would allow an organization to dedicate adequate action and resources to treat risks of the highest priority.

Many organization that do not perform risk assessment may not be aware of the risk that they are exposed to. Due to the lack of risk management, there could be various complications.

An example would be: A cyber attack on the organization’s database server resulted in many customers/user’s data to be leaked by exploiting an vulnerable unpatched service that allowed the adversary to obtained remote code execution.

As the organization did not have risk controls in place that may warrant them to be fully liable as there was no “best effort”/”due dilligence” performed by the organization storing user’s data.

3. Create a risk-aware culture within the organization

Risk assessment is an iterative process that involves engaging employees to think about technology risks and how they align to business objectives.

As most cyber security professionals may have heard of, the weakest link in any security mitigations are always the human. It is extremely important for employees to be aware of technology risks as the security is as good as the weakest link.

Leave a comment



Hello Visitor,

Welcome to my cozy corner featuring sharing of cybersecurity matters. I am an industry practictioner with several years of experiences in Offensive, GRC, Incident Response and Auditing. Join me on my journey!

Recent posts