Skip to main content

NIST Releases Guide for Conducting Risk Assessments

National Institute of Standards and Technology (NIST) has released the Guide for Conducting Risk Assessments (NIST Special Publication 800-30, Revision 1).

As threats to cyber systems grow more and more complex, risk assessments help companies determine appropriate responses to mitigate risks to their organizations, guide investment strategies and maintain ongoing situational awareness of the state of their systems.

Overall guidance for risk assessment for information security can be found in Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39).



  1. The NIST guidelines for risk management are based on the ISO 31000 risk management standards, which borrowed heavily from the AS/NZS 4360 risk management standards that proceeded them by a decade.  All of these standards follow a common approach for assessing inherent (uncontrolled) risk.  The most common risk assesment model is to use a 5 x 5 risk matrix, with one axis for the different levels of Likelihood and the other axis for different levels of Consequences (called Impact by the NIST guidelines).  Where the columns and rows intersect in the risk matrix (see Table G-5), determines the inherent risk score, which falls into one of several severity bands (very high,high, moderate, low, very low in the example).  Therefore an Impact of Very High and a Likelihood of Moderate in this model would result in an inherent risk score falling into the High severity band.  These are subjective descriptions, but if you also assign numeric scores to the columns and rows of the risk matrix and calculate the result using multiplication then an inherent risk score of 15 would be the result of C5 x L3, and a score of 15 would fall within the numeric score range defined for the high severity band. This is great for calculating the inherent risk score, and where we have a single control the residual risk score could be similarly calculated by identifying how the control impacts either the Likelihood or the Impact. Say, the control moves the likelihood from Moderate down to Low, the residual risk score would now be 10 (C5 x L2), which falls within the Moderate score band.
    Unfortunately, while all of the standards discuss the concept of residual risk, none of them clearly explain how you actually arrive at a residual risk score when more than one control is implemented. 
    An advantage of calculating the inherent and residual risk scores numerically, is that you can easily calculate a numeric value for each control by subtracting the inherent risk score from the residual risk score for each control in isolation, and then subtract the sum of multiple controls from the numeric score of the inherent risk.This approach also means that the residual risk score (where multiple controls are applied) can actually exceed the lowest numeric value possible within the risk matrix, in other words you can have a negative value for the residual risk. This could mean that you have raised more controls than are absolutely necessary, but that is OK provided it is deliberate and you can justify the cost and effort of some over-controlling.  Another advantage of numerically scoring each control is to highlight any controls that don't have any effect on either the likelihood or the impact. This simply means that they are not really controls at all.

  2. Ian:
    I can't quite follow your logic.  What are the scales for the various ranges?  Also using what you have said and creating the matrix I found some inconsistencies (if I am understanding what you are saying correctly).  See below.  Can you help me understand?  Thanks.

    Threat LikelihoodImpactVery Low (1)Low (2)Moderate (3)High (4)Very High (5)Very High (5)Low (5)Moderate (10)High (15)Very High (20)Very High (25)High (4)Low (4)Moderate (8)High (12)High (16)Very High (20)Moderate (3)Very Low (3)  Low (6)Moderate (9)Moderate (12)High (15)Low (2)Very Low (2)Low (4)Low (6)Low (8)Moderate (10)Very Low (1)Very Low (1)Very Low (2)Very Low (3)Low (4)Low (5)


Post a Comment

Popular posts from this blog

Policies and Controls are King in the IT Security world

I came across an article by Roger Grimes over at Infoworld on how security policies and controls are the real power when it comes to IT security. Roger mentions the SANS 20 Critical Security Controls for Effective Cyber Defence , which are a great read for anyone looking at updating or auditing your policies for completeness. The SANS top 20 controls are a must for any organization: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control

Fun Little Earthquake

It's 1:45pm EST in Ottawa, Ontario, Canada. We just had an earthquake.  Not strong enough to damage anything, but enough that I watched people run out of buildings. What a fun Wednesday.

Reminder: Increase the maximum available memory on your Lotus Notes client JVM today!

Yup, that's right.  Public Service Announcement time. If you haven't increased the maximum memory available to your Lotus Notes JVM yet, what are you waiting for? By default, the Notes JVM only has 256mb of memory available to it.  On a system with 4GB+ of memory, you should be easily able to increase it to 1/4 to 1/3 of the system memory and improve the end user performance. Here's how: Shut down Lotus Notes. In order to make sure that all processes are stopped, run this command:  Start -> Run Type: C:\Program Files (x86)\IBM\Lotus\Notes\nsd.exe -kill Open: C:\Program Files (x86)\IBM\Lotus\Notes\framework\rcp\deploy\ Open the "" file in a text editor like notepad.  You will possibly require Administrator permissions. At the beginning of the file, you will see text surrounded by a lot of pound signs ####. The first ‘property’ after the last # sign is: vmarg.Xmx=-Xmx256m Change 256m to 1024m so that the line reads: vmarg.X