Basic risk assessment techniques

- [Instructor] There are a considerable number of ways that you can assess IT risk within an organization. In fact, ISACA touches on so many different techniques that I'm going to split them across two videos to make sure I can cover them all. In practice, you'll likely use multiple techniques throughout your own risk assessment work. The techniques you choose first are often driven by the way your organization perceives risk. Most conversations about risk start with a risk scenario. If something bad happens related to our IT resources, how bad would that be for the business? That question is actually a good intro to our first risk assessment technique, scenario analysis. When you assess risk using scenario analysis, you propose an event that might happen in the future and you work your way back from there. If our organization is hit by ransomware, how much would that attack disrupt or damage the business? That what if approach is the foundation for a number of workshop based risk assessment techniques. Brainstorming is the name for the technique where you bring a group of folks together to discuss risks based on prompts that you provide. This technique is also called structured or semi-structured interviews. The structured what if technique or SWIFT is very similar to brainstorming, but the key difference is that brainstorming often feels more freestyle or conversational while SWIFT follows a more defined structure, hence the name. The Delphi method is another what if style technique, but it relies on documented questionnaires that are distributed to experts throughout your organization. Respondents are expected to go through this process at least twice to help drive collaboration and consensus. You can also take a list based approach to performing your assessments. The checklist approach starts with a list of threats that may be relevant to your organization. You could come up with that list on your own, or you could find it in the appendix of a NIST special publication or an ISO standard. When you use this technique, you usually work your way down the list, checking off each threat as you address it. Some techniques assess risk through a very focused lens. If you want to focus on people, you might use the human reliability analysis or HRA technique. This approach is great for assessing social engineering risks or risks associated with manual activities. If you want to focus on your technology, you may find the sneak circuit analysis technique helpful. This technique seeks out potential errors in the design of hardware or software. Errors that an attacker might be able to exploit to their benefit. And if you want to focus on process risks, you could use the hazard analysis and critical control points or HACCP technique. This approach is geared toward preventing risks from taking root by addressing formal operational limits and looking for things in your environment that fall outside of those norms. There's an entire family of risk assessment techniques that begin with a focus on hazards. Preliminary hazard analysis is a technique that relies on a list of threats or hazards that you think might harm your organization's facilities, their systems, or their activities. Hazard and operability study, or HAZOP, focuses on the risks most likely to manifest if you deviate from defined processes or procedures, and layers of protection analysis, or LOPA, build on that HAZOP data, adding in some quantitative measurement of risk by factoring in the effectiveness of your current controls. There are even a couple of risk assessment techniques that focus on physical risks. The reliability centered maintenance technique looks at how physical assets function in an effort to determine how failures might occur. Since all of our systems and applications rely on physical hardware, this technique tends to uncover availability risks. And when you want to take a holistic look at all the environmental factors that could harm your IT operations, everything from hurricanes to fires to tornadoes to floods, then an environmental risk assessment can be very helpful.