The 5 Steps of a Cybersecurity Risk Assessment

Cyber securityToday’s organizations are constantly bombarded with cybersecurity threats. IT managers frequently lose sleep over botnets, malware, worms and hacking. Rather than reach for a sleep aid, organizations need a clear methodology for prioritizing and addressing cybersecurity risks. Here are five clear steps to develop a solid foundation for a security strategy.

1. Identify Information Assets 

Consider primary types of information that the organization handles (e.g., social security numbers, payment card numbers, patient records, designs) and make a priority list of what needs to be protected. 

2. Locate Information Assets

Identify and list where each item on the information asset list resides (e.g., file servers, workstations, laptops, removable media, PDAs and phones, databases).

3. Classify Information Assets

Assign a rating to your information asset list. Consider a 1-5 priority scale, with the following categories: (1) public information, (2)  internal, but not secret, information, (3) sensitive internal information, (4) compartmentalized internal information, and (5) regulated information. This type of classification allows the organization to rank information assets based on the amount of harm that would be caused if the information was disclosed or altered.

4. Conduct a Threat Modeling Exercise 

Rate the threats that the top-rated information assets face. One option is to use Microsoft’s S.T.R.I.D.E. method, which is simple, clear and covers most of the top threats. Develop a spreadsheet for each asset, listing the following S.T.R.I.D.E. categories:

Spoofing of identity

Tampering with data

Repudiation of transactions

Information disclosure

Denial of service

Elevation of privilege   

In the spreadsheet, list the data locations identified in Step 2. For each cell, make estimates of both the probability of this threat actually being carried out against the asset at the location in question and the impact that a successful exploitation of a weakness would have on the organization. Use a 1-10 scale in which 1 is “not very likely” and “minimal impact” and 10 is “quite probable” or “catastrophic.” Then multiply those two numbers together and put the total for each location into cells. The spreadsheet should be populated with numbers from 1 to 100.

 5. Finalize Data and Start Planning

Multiply the total in each cell in all the worksheets by the classification ranking assigned to the asset in Step 3. The final total will give you a rational and comprehensive ranking of all the cyber threats posed to the organization’s information. A reasonable security plan will start by tackling the risks with the highest totals and then assign a lower priority to mitigating those with lower totals. In an ideal world, you will find a way to lessen all your risks-but be sure to take care of the big threats first.

Fonte: Risk Management by Peyton Engel is a data security expert at CDW, a leading supplier of technology products and services to business, government and educational institutions.


Professor, Embaixador e Comendador MSc. Marcos Assi, CCO, CRISC, ISFS – Sócio-Diretor da MASSI Consultoria e Treinamento Ltda – especializada em Governança Corporativa, Compliance, Gestão de Riscos, Controles Internos, Mapeamento de processos, Segurança da Informação e Auditoria Interna. Empresa especializada no atendimento de Cooperativas de Crédito e habilitado pelo SESCOOP no Brasil todo para consultoria e Treinamento. Mestre em Ciências Contábeis e Atuariais pela PUC-SP, Bacharel em Ciências Contábeis pela FMU, com Pós-Graduação em Auditoria Interna e Perícia pela FECAP, Certified Compliance Officer – CCO pelo GAFM, Certified in Risk and Information Systems Control – CRISC pelo ISACA e Information Security Foundation – ISFS pelo EXIN.