How do you assess IT Risk ?? Please share your way of assessing IT Risk ...

Hi all, I would like to discuss about various IT risk assessment methodologies and the methodology you prefer.

Here's the method we follow.

It's gonna be qualitative methodology.

Formula to calculate risk : Risk = Asset value * Threat * Vulnerability.

High - 3, Medium -2, Low -1

Asset value : Highest value in AIC. (Availability, Integrity, Confidentiality)
AIC values will be given based on the impact on loss of AIC for each asset.
example : A Database server of critical application will be given High for all three Availability, Integrity,Confidentiality.
whereas for a user workstation, availability will have less value and that's not gonna matter since highest value in AIC triad is taken as asset value.

Threat : Common threats are considered for a newly provisioned IT asset. i.e. Hardware failure, configuration failure, power failure, unauthorized access and many. Apart from these, threats found from VAPT will be included.

Vulnerability : It's calculated on account of likelihood of occurrence. We usually check the control gap for a respective threat and vulnerability is calculated based on likelihood.

Example : As we spoke about a DB server.

Asset value =High = 3.

Threat = unauthorized access = High = 3
Vulnerability = inadequate access control = High = 3

Hence Total risk = 27

Another example.

Asset value = High = 3

Threat = Database corrupted = High = 3

Control Implemented : Log shipping on Database is set to 60 minutes.

Vulnerability = Data loss = Medium = 2

Hence Total risk = 18

For us accepted risk value is <=9. Anything more than that, has to undergo risk treatment plan.

I know our methodology is simple. But we wish to enhance and more accurate.

Kindly share your methodology and the flaw you find in our method.

Cheers

- G

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

chickenlicken09

not sure but may get more of a response in the CISSP thread.

philz1982

I like this site when I am doing quantitative assessments.

Risk mgmt

Cyberscum

The method you are using does not factor in alot of things and although in theory its a risk assessment, its weak at most.

Please follow this if you have time and manpower:

http://www.google.com/url?url=http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf&rct=j&frm=1&q=&esrc=s&sa=U&ei=mlvCVKLBFof4yQTXyoHwAg&ved=0CBQQFjAA&usg=AFQjCNE_C77zBP4z30WTnhO16MxCq38zUA

philz1982

Cyberscum wrote: »

The method you are using does not factor in alot of things and although in theory its a risk assessment, its weak at most.

Please follow this if you have time and manpower:

http://www.google.com/url?url=http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf&rct=j&frm=1&q=&esrc=s&sa=U&ei=mlvCVKLBFof4yQTXyoHwAg&ved=0CBQQFjAA&usg=AFQjCNE_C77zBP4z30WTnhO16MxCq38zUA

I like to use 30 if they are ok with it. Some folks want other stuff, it seems to be based on how early you influence the selection of the framework.