The Basics of Cyber Security Risk Assessment

View all blog posts under Articles | View all blog posts under MSCS

In a cyber security risk assessment, steps should be done in a designated order.

In a cyber security risk assessment, steps should be done in a designated order.

With the business world turning toward cloud platforms and data analytics solutions, the security of transmitted data (especially private, personal customer/client information) is a priority for most companies. In fact, laws and regulations are being written every day that make cybersecurity compulsory for businesses that deal with sensitive data.

For example, the Ohio State Senate recently passed Bill 273. The new law institutes tighter security measures for individuals and non-government entities that provide insurance coverage.

“All Licensees will be required to develop, implement, and maintain a comprehensive written information security program, based on the Licensee’s internal risk assessment, to safeguard the Licensee’s nonpublic information … [including] health information, financial information, or certain identifiers such as social security or bank account numbers,” explains the law firm Dinsmore & Shohl, LLP in “Ohio Enacts New Cybersecurity Requirements for Insurers” on

With this increased focus, working knowledge of cybersecurity terminology is invaluable to online cybersecurity master’s students. One of the most important of these is the concept of risk assessment. Graduates can expect to either make or respond to such assessments in any field related to cybersecurity.


Cyber Security Risk Assessment by the Numbers

When cybersecurity professionals perform a cybersecurity risk assessment, they should follow steps in a designated order to maximize effectiveness and provide a complete picture of an organization’s security plan. Sage Data Security, a successful cybersecurity company that regularly performs risk assessments, offers a step-by-step procedure in “6 Steps to a Cybersecurity Risk Assessment”:

  • Characterize the System: The answers to preliminary questions can help cybersecurity professionals understand the types of risks they might encounter. What type of system is used? What kind of data is involved? Which vendors are used? Who uses the system? And where does the information flow? Asking these questions up front helps security pros perform their responsibilities more effectively.
  • Identify Threats: The next step is to identify which threats are likely to affect an organization. In’s article, “Cyber Threat Basics, Types of Threats, Intelligence & Best Practices,” social engineering trojans, phishing, unpatched software and advanced persistent threats are common dangers for most businesses. In today’s environment, these threats take advantage of Internet of Things (IoT) exploits and the “data explosion.” They can come from a number of different sources, ranging from disgruntled insiders to hackers, organized crime and even national governments.
  • Determine Inherent Risk and Impact: After threats have been thoroughly explored and researched, risk assessors should determine whether a risk has a high, medium or low impact on the organization’s system and sensitive data. Low-impact events pose little to no threat to a company’s cybersecurity. High-impact threats, however, can cause substantial damage.
  • Analyze the Control Environment: Cybersecurity professionals should, at the very least, identify a system’s threat prevention, mitigation, detection and compensating control protocols, Sage Data writes. expounds on the idea in “Monitoring and Verifying Cybersecurity Controls Effectiveness” on its website. The article advocates including security metrics, penetration testing (ethical hacking) assessments and the completion of internal audits as part of the risk assessment.
  • Determine a Likelihood Rating: Just as with the Determine Inherent Risk and Impact step, this crucial phase of a risk assessment involves analyzing all potential system exploits and assessing the likelihood of them being used against the organization. Degrees of likeliness range from an exploit that a system sufficiently guards against to those used by highly motivated and capable adversaries that know how to bypass all system controls.
  • Calculate Your Risk Rating: A risk rating is also divided into three categories. A low risk rating, according to Sage Data Security, means that the threat level is normal and basic security enhancements should be sufficient to protect the company. An elevated risk rating means that a viable threat to an organization exists and remediation should be implemented to counter that threat. And finally, a severe risk rating means that a severe threat is present and should be countered immediately to avoid a catastrophic security breach.

When the assessment is complete, cybersecurity professionals should maintain a close relationship with the client company. An organization that takes cyber security seriously should run risk assessments on a regular basis.

“Once your risk assessment is complete, best practices include properly communicating the results to all stakeholders,” writes cyber law expert Steven Chabinsky in “Best Practices for Conducting a Cyber Risk Assessment” on “Also, since security is an ongoing and evolving process, companies should maintain and improve the assessment over time consistent with their risk posture.”

A risk assessment is the cybersecurity version of a first impression. Clients often base a decision to move forward with a security contract on the strength of the risk assessment.


University of North Dakota’s Master of Science in Cyber Security Program

Choosing the right online cyber security master’s program is an important decision. The best programs offer courses that keep current with today’s cybersecurity issues and concerns and offer concentrations that will be attractive to employers.

UND’s online cyber security master’s degree program is accredited by the Higher Learning Commission and is ranked in U.S. News & World Report’s Top 25 Most Innovative Schools (2018), alongside such prestigious institutions as Stanford, Harvard and MIT.

UND prepares students for careers in cybersecurity and offers concentrations in Autonomous Systems Cyber Security, Cyber Security and Behavior, Data Security, and General Cyber Security. For more information on UND’s MSCS online program, visit the program’s website.



Ohio Enacts New Cybersecurity Requirements for Insurers –

6 Steps to a Cybersecurity Risk Assessment –

Cyber Threat Basics –

Monitoring Cybersecurity Controls Effectiveness –

Best Practices for Conducting a Cyber Risk Assessment –