Risk Analysis Template and Step-by-Step Guide (Free Example)

Joanna Kwong
By: Joanna Kwong Cyber Security | 9 May

In this blog post, we discuss what risk analysis is, why it is relevant for your organisation, and provide you with a quick start guide on how to get started with our free risk analysis template.

A risk analysis is a useful tool for any organisation that wants to anticipate incidents and plan how to mitigate potential risks. It involves identifying and analysing potential events that may negatively affect individuals, assets, or the organisation. A risk analysis can help us make judgements about our tolerance for certain risks so that we can better anticipate them. And most importantly, it makes it possible for us to prioritise our security activities.

At CyberPilot, we use this IT risk assessment template to help organisations do a risk analysis for information security. It is free and you can download it here:

Risk

A cyber security risk assessment can benefit your organisation with the following:

  • Identify vulnerabilities

  • Provides a good overview

  • Determine better processes and requirements, which improves planning

  • Document due diligence

It can also help you understand the probability of theoretical risks happening in real life.

That way, you can better understand how to allocate resources to prevent them. We will give you two examples below.

 
Risk analysis example 1:

A tornado hits your company headquarters and damages all the IT equipment.

While this is certainly a risk that could happen and have a big negative impact, it is unlikely to happen if your area has no history of experiencing tornados. Therefore, your efforts could be better spent thinking of solutions for other risks.

Consequence: HIGH

Likelihood: LOW

 
Risk analysis example 2:

A staff member travels with company IT equipment and it gets damaged on the baggage carousel.

While losing the IT equipment of one staff member is not catastrophic for the company, it is more likely to happen if staff travel regularly. And maybe the consequence for losing the specific equipment is not only the cost of the laptop, smartphone etc., but could also lead to potential data loss or a breach of personal data.

Consequence: MEDIUM

Likelihood: MEDIUM

We would suggest spending some time on mitigating this risk.

Ultimately, a security risk assessment can help you weather any storm, or at least be better prepared for it.

 
Risk analysis for information security

For an information security risk assessment, we can start by looking at potential events that can negatively affect your organisation. Some examples include:

  • The website crashing

  • IT equipment being damaged

  • GDPR violation and fines

  • Loss of intellectual property

 

You can ask yourself:

  • What do those events mean for my company?

  • What resources and assets would I lose in the event?

  • What resources and assets would I lose when trying to fix the problems?

  • What would we do if any of those events happened right now?

In the next session, we will discuss how to create your own risk analysis, using our free risk analysis template as an example.

 
How to create a risk analysis

You can download our template here and follow along.

screen shot of the risk analysis template

A snippet from our risk analysis template 

   
Step 1: Create a scale for the risk assessment matrix

First, we determine the scales that we use for our security risk assessment. In our template, you can access the scale in the first tab.

screen shot of an excel table used to create a scale for the risk analysis matrix

In the risk analysis template, we categorise the risk levels as low, medium, or high. One way of thinking of risk level is how severe the consequences can be for your organisation. Below, we define what each risk level could mean in terms of IT systems.

Low risk 

  • The system is easily recoverable

  • The system provides a non-critical service

Medium risk

  • The system provides a normal service

High risk

  • The system provides a critical service for the entire organisation

You can also take this opportunity to discuss within your organisation how many resources you would have to use to fix these issues if they were to occur. Our IT risk assessment template gives you the opportunity to fill in the time and monetary consequences, so you can consider the full impact of different IT security risks.

As the risks and consequences differ from organisation to organisation, we highly recommend adapting this section according to your needs. For example, if you are part of a company whose revenue comes solely from the online shop on the website, then the website crashing is considered a much higher risk. In contrast, if your website serves just as a landing page without much functionality or effect on your day-to-day operations, then the website crashing is a lower risk because the consequences are lower.

chart of risk probability and impact from a risk analysis

Step 2 - Start by listing your assets:

Fill in the security risk assessment

To complete the risk analysis, our template has different columns to fill in:

  • Asset

  • Short description

  • Department

  • Threat

  • Vulnerability

  • Performed actions

  • Consequence

  • Probability

  • Suggestions for increased security

Below, we’ll describe each of these categories with examples.

Asset

When we talk about assets in this context, we mostly mean assets related to your organisation’s IT. This can include hardware, such as laptops and mobile devices that your staff use. Additionally, it can include the IT services provided by your organisation, such as internal communication systems (e.g., Microsoft Teams of Slack) or customer-facing services like the company webpage. Other than IT assets, we include staff as an asset, as employees have a lot of influence over the state of your information security. Employees can be one of our biggest defences when it comes to security, which is why it’s so important that they are aware of security risks. We discuss this in our e-book if you want to read more.

CTA_e-book_blog-desktop

Finally, if you use IT asset management, then it is very easy to use that document as a reference. You don’t have to list all of your company’s assets, but you can choose the most important or commonly used ones to start with. 

Short description

Although self-explanatory, this column can be very useful for defining what you mean when you list different assets. For example, when we list staff as an asset, we can define it as both full-time and part-time employees. You can also define who is not included, for example, consultants, who act as external advisors to the organisation but are not officially part of the organisation.

Department

Defining which department is responsible for each asset is advantageous because it prepares the company to respond when an issue must be fixed. Maybe instead of an entire department, it’s the Data Protection Officer who is responsible. Laying out responsibility is useful for a few reasons. First, it can give you a better understanding or a refresher of each department or subdepartment’s responsibilities. Second, clearly defined responsibilities can help the organisation react faster when there is a security risk.

However, we don’t recommend spending too much time on this column, as responsibilities can easily overlap between departments and change over time. We recommend getting a general understanding and being flexible when it’s time to fix the issue.

 

Step 3 - List threats and vulnerabilities

Threat 

A threat describes any potential damage to an asset, which could affect the organisation. If there have been any security breaches or incidents in the past, you can list them in this column. For example, ransomware and malware or unauthorised access to confidential data could be considered threats.

For instance, the threat of ransomware is present when staff are browsing websites for their work. They may unsuspectedly stumble upon a fake website and accidentally install ransomware, therefore locking access to the organisation’s files and their computer until they pay the cybercriminals. Next, we discuss vulnerabilities that coincide with these threats.

Vulnerability 

Vulnerabilities can be described as the reasons that threats occur. When it comes to the ransomware example, the vulnerability might be that staff unsuspectedly stumble upon a fake website and accidentally install ransomware. When it comes to the unauthorised access to confidential data example, the vulnerability could be that somebody forgot to close their browsing windows during a video call and accidentally showed a customer their internal communications. Or it could be that somebody accidentally sent an email containing personal data to the wrong recipient.

The purpose of this section is not to place blame, but rather to think of potential security risks and the reasons why they might occur. By understanding how the threats occur, we can:

a) Understand how big the threat is

b) Predict the probability of the threat happening

c) Think of ways to proactively avoid threats

Understanding and avoiding threats like these are also a good way to make sure you stay GDPR compliant.

Performed actions 

In this section, you write whether you have already done anything to mitigate these risks. For example, if you have experienced losing important files before and now use cloud storage for back-up, that is an example of a performed action. If you use awareness training or phishing simulations to keep IT security top of mind for your employees, you could also list these activities here.

     
Step 4 - Evaluate risks

Consequence

After writing about the threats, you can better assess how big the consequences would be if they were to occur. This is obviously a subjective assessment, but it should be discussed with colleagues. Often, you will find that your colleagues have different perspectives on the consequences. Perhaps the marketing department will put a ‘HIGH’ consequence on something happening to the company website, since that can affect sales. But the IT department would not see it in the same way, as it would not affect the day-to-day operation of the company. That’s why it is important to get a lot of different perspectives when you evaluate the consequences.

Probability

Not all risks are created equal. Some could probably happen a few times a month, while some may only happen once every few years. By assessing the probability of threats, you can understand how to prioritise them, and perhaps leave out the ones that you can’t realistically tackle.

Suggestions for increased security

After filling in the previous sections, you will have gained a better understanding of each asset and the risks associated with them. In this section, you can use your answers from the previous sections to write down suggestions for increased security.

 
Your security risk assessment is complete!

When every section is filled in with the assets and the threats you can think of, you will have a better overview of the risks to your IT security. From the risk analysis, you will be able to see which threats are more likely to happen and the consequences if they occur. Of course, you can keep this document handy and update it regularly. It can even be a document you consistently refer to, like your IT Security Policy and Acceptable Use Policy.

We hope that this blog has helped you understand what a security risk assessment is and how to do one yourself. As a matter of fact, we use this risk analysis template to help many organisations who want to have a better understanding of the security risks to their IT assets. If you would like to get some help with putting together your risk analysis, we are happy to have a talk about it. Download our template here and you can contact us at
info@cyberpilot.io.