Skip to main content

4: Conduct a Risk Assessment

The purpose of this step is to assess the level of risk to the IT system. The determination of risk for a particular threat/vulnerability pair can be expressed as a function of the likelihood of a given threat source attempting to exercise a given vulnerability, the magnitude of the impact should a threat-source successfully exercise the vulnerability and the adequacy of planned or existing security controls for reducing or eliminating.


The purpose of this instruction is to continue facilitating the implementation or improvement of a security program. This instruction specifically identifies the action steps needed to complete Step 4: Conduct a Risk Assessment, which is designed to establish or improve a Cybersecurity Program as identified in the NIST Cybersecurity Framework.


  • This instruction will use similar segments from Step 3: Create a Current Profile to assist in identifying and evaluating certain events that could possibly affect the IT environment in a negative manner.

Risk Management Approach

The agency’s overall Risk Management approach needs to be defined prior to proceeding with the cybersecurity implementation. The agency’s risk management program and cybersecurity work together to ensure protection from external threats and keeping the risk level of those threats minimal and acceptable to the agency.

The risk approach should be defined in the risk management strategy and it needs to specifically address cybersecurity risks.  

If the risk management approach is not defined properly or if there is not a risk management strategy in place, it is recommended that risk management is addressed immediately. Risk management is a complex, multifaceted activity that requires the involvement of the entire agency; senior leaders provide the strategic vision and objectives, while mid-level leaders plan, execute and manage projects, and individuals on the front lines operate the information systems that support the mission/business functions. Risk management strategy is based on NIST SP 800-30, 800-37, and 800-39.

The main components of risk management are:

  • Risk Management Strategy
  • Risk Assessment
  • Risk Response
  • Risk Monitoring

Without a proper risk management approach the agency will not be able to accurately identify the possible threats to, and vulnerabilities of, the systems, information, and assets it is working to protect. Using the risk assessment approach is the best way to identify threats, vulnerabilities, and risks.  

NOTE: If the agency does not have a risk management program, it may be in their best interest to begin that process now. 

Once the agency has identified the potential threats, risks, and vulnerabilities, it needs to evaluate its findings to determine the likelihood of the occurrence for each. Each event should be categorized with one of the following threat level ratings: Critical, Major, Important, or Minor in order to prioritize the order in which each issue should be resolved. Issues that have been identified as critical should be resolved first and those identified as minor can be addressed at a later time due to the level of risk they present to the agency. Examples of a threat, the related vulnerabilities, the risks generated by the two, and the probability of each occurring can be seen in the table below: 


Threat Vulnerability Risk of Compromise Probability
Unauthorized use of a wireless connection for malicious use. An open, unsecured router with a broadcasted SSID The exploitation of flaws could cause the loss of the confidentiality, integrity, or availability of an agency and/or catastrophic effects on the agency’s data, assets or operations. Almost Certain
A WEP encrypted router with a broadcasted SSID Likely
A WPA2 encrypted router, hidden SSID but there is no additional authentication needed. Possible
A WPA2 encrypted router, hidden SSID, additional user name and password authentication with password requirements, but no MAC filtering. Unlikely

Potential Threat Levels

  • Critical: A critical threat, risk, or vulnerability is any weakness or combination of weaknesses that, if exploited, could result in the loss of the confidentiality, integrity, or availability of an agency’s assets or data. Occurrences marked “Critical” should be expected to have a severe or catastrophic effects on the agency’s assets or operations. It is likely that an exploit of this level will prevent the delivery of critical IT services.
  • Major: A major threat, risk, or vulnerability is any weakness or combination of weaknesses that, if exploited, could result in a compromise of the confidentiality, integrity, and/or availability of user data, or could result in a compromise of the integrity or availability of processing resources. It is likely that an exploit of this level will prevent the delivery of IT services within expected timeframes.
  • Important: An important threat, risk, or vulnerability is a weakness whose exploitation isn’t as substantial as a major weakness, but may have a negative impact on operations or may allow access to limited resources. It is likely that an exploit of this level may impact the ability to satisfactorily deliver IT services
  • Minor: A minor threat, risk, or vulnerability is a weakness whose exploitation has a minimal impact on the system, users, and its information. An exploit of this level would have insignificant or no impact on delivering IT services as expected.

Degrees of Likelihood

The degrees of likelihood are various categories that help assist the agency in determining the probability of each event/issue occurring (each of the risks found in the assessment will fall into both a threat level and likelihood degree category.

  • Almost Certain: Events that fall into the “almost certain” category are expected to occur in most circumstances, as there is a history of a regular occurrence at other agencies or similar institutions. Not only does this event have the highest probability of being exploited, but it also provides a gateway for other exploitations to occur. It is imperative that the events that fall under this category be handled immediately.
  • Likely: Events that fall into the “likely” category have a higher probability of occurring than others and should be solved in a timely manner to avoid further exploitations. There is a strong possibility the event will occur, as there is a history of frequent occurrence at other agencies or similar institutions.
  • Possible: Events that fall into the “possible” category are not expected to occur, but there is a slight possibility that it may occur at some point in time. Events with a “possible” likelihood of occurring will not be any of the more common risks, but should be addressed to prevent threat and exploit escalations due to the initial risk being overlooked. Based on occurrences at other agencies or similar institutions, the occurrence of these events is doubtful.
  • Unlikely: Highly unlikely, but it may occur in exceptional circumstances. Any event in the “unlikely” category would require a multitude of factors and variables to be in place before it becomes an immediate risk. The event could happen, but probably never will based on occurrences at other agencies or similar institutions.

Threats and Risks

Threats and risks will fall under one or more of the following category types listed below. Identifying the type of risk/threat will help an agency separate and prioritize events. It will also help the agency develop the necessary resolutions to solve or prevent those events from occurring. 

  • Adversarial: An adversarial threat occurs when individuals, groups, or agencies that look to manipulate, abuse, or exploit an agency’s dependence on cyber resources.
  • Accidental: An accidental threat occurs when individuals, in the process of performing their everyday responsibilities, take unintentional actions.
  • Structural: A structural threat occurs when an agency’s equipment, controls, and/or software necessary to perform daily operations fail.
  • Natural or Environmental: A natural or environmental threat occurs when natural disasters and failures of critical elements, outside of the agency’s control, negatively affect the cybersecurity environment that agency depends on.

Risk Determination

After the risks are analyzed and regulations are put in place, the agency can begin to prioritize the issues needing to be addressed in descending order, starting with the events flagged as “most critical.” Those events determined to be acceptable to the agency can be retained, but plans should be put in place to manage the possible consequences should the risk take place. Even if the risk may be considered minor, it is important for the agency to review and apply any vendor-provided patches and upgrades in a timely manner.

Control Recommendations

  • The best practices the agency can implement to reduce the likelihood of the risk occurring include preventive maintenance, audit and compliance programs, policies and procedures, testing, and training staff to abide by certain practices to assist with the securing process.
  • Additionally, an agency can reduce the results of the risk occurring through contingency planning, disaster recovery, and off-site back-ups. With these processes in place, the consequences of the risk, should they occur, will be minimized.
  • There are also options to outsource and transfer some of the responsibilities to joint vendors or partnerships. This can give the agency a hand in properly securing their data and assets, while also leaving certain areas of inexperience to parties who specialize in those particular fields.
  • The final option is to completely avoid an event from occurring by deciding not to proceed with the activity that would produce the risk, threat or vulnerability.

Risk Evaluation

  • In most agencies, the network itself will continually be expanded and updated, its components changed, and its software applications replaced or updated with newer versions. In addition, personnel changes will occur and security policies are likely to change over time. These changes mean that new potential risks will surface and risks previously mitigated may again become a concern. Because of this, the risk management process is ongoing and evolving.
  • The risk assessment process is typically repeated every few years; however, a risk management approach should be conducted and integrated in order for IT systems to effectively support the agency’s business objectives/ mission. There should be a specific schedule for assessing and mitigating risks, but the performed process should also be flexible enough to allow changes where warranted (specifically referring to major changes to the IT system and processing environment from policy changes and new technology).
  • A successful cybersecurity risk management program will rely on several key factors including, but not limited to: commitment from senior management, support and participation from the IT team, and the IT team’s expertise in applying the risk assessment methodology to a specific site and system. They will also be used to identify mission risks, and provide cost-effective safeguards that meet the needs of the agency. There will also need to be user training to provide instruction over procedures and compliance with the implemented controls in order to safeguard the mission of their agency. As previously stated, this is an ongoing process and there will always be a need to reevaluate and assess the IT-related mission risks.


Due to the nature of this step, it does not directly correlate to any of the functions or categories of the NIST Cybersecurity framework. Since the agency is assessing their current cybersecurity program though, all of the controls of a system are being assessed similar to how they would be in the Security Assessment control family.