Risk analysis takes a systematic approach to identifying and assess risks. In the IT environment, risk analysis deals with risks around IT systems, IT applications, and data. Example risks are loss of data or loss of function.
What is risk analysis in IT?
Risk analysis, or threat and risk assessment, can be used in a wide variety of areas. It identifies and evaluates the possible risks in companies and organizations. In the information technology environment, it deals with methodical and structured procedures to identify and assess dangers and threats to which information processing systems are exposed or which are caused by them.
Within the framework of the analysis, vulnerabilities can be identified that are of technical or human origin. The methodological procedures of risk analysis provide quantitative or qualitative probabilities of failures and hazards. In companies, risk analysis focuses on the potential costs and consequences caused by an IT failure or data loss.
The aim is to develop measures to minimize the probability of their occurrence and reduce the potential impact on the company or organization by identifying the risks and classifying them. For this purpose, separate risk management processes are set up, for which the risk analysis takes an essential part and provides important results.
The phases of risk analysis
In risk analysis, several phases are passed through one after the other. These phases are:
- The identification of risks
- The assessment of the probability of occurrence
- Estimation of consequences and concrete damages
- The aggregation of risks to determine the overall scope.
Once a risk has been identified, the probability of occurrence for the risk is then determined in more detail. The next step is to determine the potential impact and consequences for the company or organization. These impacts can occur, for example, through loss of availability, integrity, authenticity, or confidentiality of data, or through loss of key system functions.
Possible impacts include damage to the company’s reputation, loss of image, costs for repairs, legal disputes, penalties, loss of market share, slumps in sales and profits, a demotivated workforce, or high staff turnover.
The actual risk is the result of multiplying the probability of occurrence by the amount of loss. The final phase can be the determination of the total amount by aggregating several risks.
Differences between qualitative and quantitative risk assessment
When assessing risks, a basic distinction can be made between qualitative and quantitative assessment. Quantitative risk assessment uses a numerical scale for classification. With the help of these numerical values, the actual risk can be determined very easily by multiplying it by the probability of occurrence.
Qualitative assessment rather tries to get an overall impression of a certain risk. The method, therefore, does not use numerical values, but rather subjective classifications such as high, medium, or low.
The risk analysis and the BSI’s IT baseline protection
The IT-Grundschutz of the German Federal Office for Information Security (BSI) does not provide for individual risk analysis. To implement standard security in IT, the measures for the typical risks of IT systems described in the BSI standards and IT basic protection catalogs are usually sufficient.
However, if the IT requires special protection or the risks are not described in the standard documents, BSI Standard 100-3 provides a risk analysis based on IT-Grundschutz.
In this case, the risk analysis follows on seamlessly from the IT-Grundschutz analysis and is aimed at users of information technology such as security officers or security representatives or at external consultants and security experts. In many cases, it is advisable to have the risk analysis performed by external experts. In a supplement to BSI Standard 100-3, the BSI describes how the elementary hazards are to be used in the risk analysis.
The risk analysis within the framework of the BSI’s basic IT protection should be used if there are increased security requirements, applications or systems are operated that are not covered in the basic IT protection catalogs or scenarios are used that are not provided for in the basic IT protection.