Risk Assessment with the SPE model

Risk lies around every corner and should be expected at any time. In the world of IT, risk is inherently everywhere and comes in many shapes and forms. Consequently, the task of writing down all possible risks threatening an IT infrastructure can be daunting and never-ending.

However, brainstorming all possibilities of threats looming around IT systems is an absolutely necessary job to know what, when, where and how to defend.

What is a risk assessment?

Risk assessment in cybersecurity is a systematic process that involves identifying, evaluating, and prioritizing potential risks and threats to an organization's information systems, data, and digital assets.

The goal of a cybersecurity risk assessment is to understand the potential impact of various security threats and vulnerabilities and make informed decisions about how to mitigate or manage these risks effectively.

7 steps of risk assessment in cybersecurity

1. Risk Identification: This step involves identifying all potential security threats and vulnerabilities that could affect the organization's information systems. This can include external threats like hackers, malware, and phishing attacks, as well as internal risks like unauthorized access by employees or system failures.
2. Risk Assessment: In this phase, the identified risks are assessed based on two main factors: the likelihood of the risk occurring and the potential impact it could have. The assessment can be qualitative (low, medium, high) or quantitative (assigning numerical values to likelihood and impact) based on the organization's preferences and available data.
3. Risk Evaluation: After assessing the risks, they are evaluated to determine which ones pose the most significant threat to the organization. This involves considering both the likelihood of the risk occurring and the potential impact it could have on the organization's operations, data integrity, reputation, and more.
4. Risk Mitigation: Once risks are identified and evaluated, organizations develop strategies to mitigate or reduce those risks. Mitigation strategies can include implementing security controls, using encryption, conducting regular security training for employees, and adopting best practices for network and system management.
5. Risk Acceptance: Some risks might be deemed acceptable, especially if the cost of mitigation outweighs the potential impact of the risk. In such cases, organizations might choose to accept the risk but put in place contingency plans to respond effectively if the risk is realized.
6. Risk Communication: It's important to communicate the results of the risk assessment to relevant stakeholders within the organization. This ensures that everyone is aware of the potential risks and the strategies in place to address them.
7. Ongoing Monitoring and Review: Risk assessment is not a one-time event; it's an ongoing process. Organizations need to continuously monitor their systems for new vulnerabilities and threats, reassess risks periodically, and update their risk mitigation strategies as needed.
   
   

How to assess the risk with SPE model?

From an endpoint secutiry perspective, risk assessment models as well as information security regulations take it very seriously. At the endpoint, there are massive potentials for attack, and this is because of:

• Large amounts of business data can reside on the endpoint (terabytes sometimes).
• Many applications exist on the endpoint. Portable tools further increase the issue.
• Increasingly broader access to the Internet, mainly webmail, social media and P2P.
• Endpoints are more likely to be lost/stolen than servers in the datacenter.
• Wide variety of devices and peripherals can be connected to the endpoint.
• BYOD is an ever-growing concern bringing gray areas of visibility and control.
• End-users are an easy target for phishing and social engineering. Usually #1 issue.
  
  

SPE model: how does it work?

Many models have been developed for risk assessment. An easy yet effective one is the Severity, Probability and Exposure (SPE) model. It works as follows.

Risk = Severity x Probability x Exposure

Severity: Severity is an event’s potential consequences measured in terms of degree of damage, injury, or impact on a mission. Severity can vary from 1 to 5.

Probability: Probability is the likelihood that the potential consequences will occur. Probability can vary from 1 to 5.

Exposure: Exposure is the amount of time, number of occurrences, number of people, and/or amount of equipment involved in an event, expressed in time, proximity, volume, or repetition. Exposure can vary from 1 to 4.

SPE model: assess the risk with drivelock calculator

Curious? You want to assess your own risk?

We have provided you with a tool. Click here for your individual SPE Calculator:

(Excel file)

Need help putting your SPE Score into context and identify sensible measures to reduce risks in certain areas? Our Consulting Team is here for you.