Risk Assessment: Likelihood and Impact

Written by: Matthew McGill - Senior Information Security Consultant

Every organization is unique, which means the risks they each face are not the same. To protect your business effectively, you must first identify where the threats lie. Once you understand these risks, the next step is to assess how likely they are to occur and the potential impact on your organization.

This process is the cornerstone of any information security risk assessment. Clear risk awareness is critical when making decisions about cybersecurity—or any business operation. Without knowing the specific threats and how they might affect you, it’s impossible to take meaningful steps to mitigate them. That’s why understanding likelihood and impact for each threat is vital in the risk assessment process.

At HBS, our consultants perform information security risk assessments using a four-step, straightforward, proven process. Let’s break down the essential elements of risk, impact, and likelihood through specific cybersecurity examples to help you get a clearer picture.

Keep it Simple

You don’t need a complex system in order to improve or support your organization’s security environment. However, your organization’s leaders need tools that show them where to spend time and resources in order to reduce potential risks to the company. That’s how risk assessments can shed light on the key factors in this decision-making process.

A better understanding of the system also helps out other members of your staff. Members of the IT department need to know what products and processes to put into place in order to limit potential risks. The more knowledge they have, the better they can work with leadership to determine and address security concerns. Sharing the risk assessment results with members of the IT team will help them understand where they’ll get the most from efforts to reduce risks.

The Risk Assessment Formula: Likelihood x Impact

The standard described in NIST SP 800-53 implies that a realistic assessment of risk requires an understanding of these areas:

Threats to an organization.
Potential vulnerabilities within the organization.
Likelihood and impacts of successfully exploiting the vulnerabilities with those threats.

A simple but effective risk equation to use in assessing risk is:

Risk = (Threat x Vulnerabilities) x Impact

Threat:
A potential event that could cause harm—a phishing attack for example.
Vulnerability
A weakness that makes you susceptible to the threat—e.g. unpatched software or lack of employee security training.
Likelihood
How probable is it that the threat will exploit the vulnerability?
Impact
The extent of the damage or disruption if the threat successfully exploits the vulnerability.

Combining likelihood and impact produces a residual risk rating of Low, Medium or High. Each organization’s residual risk rating may differ based on the likelihood and impact that each control deficiency introduces.

You could also represent this concept with a simple chart like this one:

For example, let’s consider the risk of a hacker getting access to a folder containing all of your public-facing marketing materials. That event may have a medium likelihood, but it has a very low impact. Those materials are already publicly available on your website, etc., so unauthorized access to them does no harm. That risk gets a Low rating. But the formula changes if the risk is an employee in the Accounts Payable department clicking a phishing link. There’s at least a medium likelihood of one of those employees making this mistake. And the impact would be very high if a hacker got access to a user account that controls financial transactions. That risk gets a High rating. Keep in mind that a very High impact rating could make a risk a top priority, even if it has a low likelihood. If a breach could shut down a hospital’s life-support equipment, for example, that risk obviously deserves serious consideration on your priority list. If you’d like to read detailed guidelines on how to rate risks by various factors, consult NIST SP 800-30.

Defining Key Risk Concepts

Inherent Risk

This is the level of risk your organization faces before any security measures are applied. For example, if you don’t have email filtering or employee security training, your system is highly vulnerable to phishing attacks. Cybersecurity inherent risk reflects the raw risk in your environment when no controls are in place.

Residual Risk

After implementing security controls—firewalls, multi-factor authentication, security patches, etc.—you are left with residual risk. This is the risk that remains after mitigating measures have been applied.

Applying Mitigating Measures

Once you’ve identified the risks, you need to take action. Common risk mitigation techniques include:

Avoidance: Elimination of the cause of the risk—blocking access to risky websites for example.
Mitigation: Reducing the likelihood or impact of the risk—e.g. adding MFA to protect user accounts.
Transfer: Sharing risk with third parties, such as a cyber insurance company.
Acceptance: Acknowledging the risk and monitoring closely.

Risk Assessment in Action

Scenario: Over the past week, employees have received multiple emails offering time-sensitive deals from well-known retailers, urging them to click a link, or scan a QR code. This is a phishing campaign designed to trick staff into entering their credentials.

Threat: Phishing emails using urgency to manipulate staff.

Vulnerability: Lack of email security filtering and employee training, resulting in no alerts or action being taken.

Impact: If an employee clicks the link, it could lead to a compromised email account, allowing attackers to access sensitive information and send further malicious emails.

Likelihood: Given the widespread targeting and lack of defenses, the likelihood is high.

Risk: With high likelihood and moderate impact (compromised email), this scenario would be classified as a High risk.

Finding Help When You Need It

Reading through how to determine likelihood and impact can help you understand first steps in your risk assessment process. But you’ll probably still need help from cybersecurity consultants to carry out a full assessment. These experts look over a number of key factors you may not have considered.

Cybersecurity consultants analyze your organization’s structure, policies, standards, technology, architecture, controls, and more to determine the likelihood and impact of potential risks. They will also review your current controls and evaluate their effectiveness.

Consultants also assess any gaps between your current security posture and where you want your organization to be. A core part of that process will be determining accountability and assigning risk ownership at the appropriate level and to the appropriate team. It’s important to have the right security measures in the right hands.

End Goal: An Acceptable Level of Risk

The end goal is to get to a level of risk that is acceptable to your management team. It’s important to evaluate and be aware of the risk in your environment so you can implement appropriate controls to mitigate this risk and secure sensitive information. Evaluating risk means understanding the biggest factors of any security threat, likelihood and impact.

If you’re looking for a security partner to help you with your risk assessment, HBS is here to help. Contact us today to learn how we can secure your organization.