Published on

What is Risk Assessment?

  • avatar
    Predrag TASEVSKI

This post intention is to deliver to the readers an introduction to risk assessment. Please bear in mind, that the author is conducting research in this field, therefore in few months there will be more articles about cyber-risk and so forth. Nevertheless, hope that the below will guide you, and will give you better understanding for risk assessment.

Internet has become as essential part of risks in every organization. Despite all the malicious code and alerts, we use it increasingly. Therefore, risk assessment is a critical part of risk management in each organization that deals within the IT infrastructure. Traditionally, the focus has been related to natural hazards. However, risk assessment has received much attention in the past decade. Subsequently it is a primary task in enterprises and it is widely considered a key reason for improving an organization’s IT performance.

In content to risk assessment as a part of risk management, additionally we have the criminality and unlawful exploitations of the Internet. Accordingly, [1] provides a partial approach to cyber-risk as a vital feature of risk assessment. Consequently, there are three different approaches that the studies have tended to focus on, such as, economical approach [2, 3, 4, 5, 6, 7, 8], cyber-risk coupled with risk management and insurance [1, 9, 10], and game theory [11, 6, 7]. Moreover, we define risk when the chosen action or activity will lead to organizational loss. In addition, risk is the likelihood that something wrong or/and bad will happen and it will cause harm to the organizational information asset, or lead to the entire loss of the asset. In risk, vulnerability is a weakness that could be used to jeopardize or cause harm. Threat is anything (artificial or act of nature) that has the potential to cause harm to organizational information assets [11].

Also, the chance that a threat will use a vulnerability to cause damage creates a risk for the organizations. When a threat uses vulnerability to inflict damage, it has an impact. In the context of information security, the impact is a loss of availability, integrity and confidentiality. Similarly, to information security, in cyber security the additional impacts are: non-repudiation, authentication, information systems importance and criticality according to state Critical Information Infrastructure / Critical Infrastructure. Other possible losses can occur too, such as loss of income and loss of life, etc. It is very important to point out that it is impossible to find all risks, nor is it possible to drop all risks [12].

To sum, above we have provide the readers with basic concept and merely approaches to risk assessment. Additionally for further readings, we suggest you to do follow-up from the references below.


[1]: T. Maillart and D. Sornette, “Heavy-tailed distribution of cyber-risks” (2013).

[2]: Artur Rot, “IT Risk Assessment: Quantitative and Qualitative Approach”, WCECS 2008 (2008).

[3]: Yan Bai, Zhong Yao, Hong Li, and Yong-Qiang Zhang, “Risk Assessment for Information Security Based on Fuzzy Membership Matrix”, NCIS 2012 (2012).

[4]: Thomas M. Chen, “Information Security and Risk Management”, Encyclopedia of Multimedia Technology and Networking (2009).

[5]: FARIBORZ FARAHMAND, SHAMKANT B. NAVATHE, GUNTER P. SHARP and PHILIP H. ENSLOW, “A Management Perspective on Risk of Security Threats to Information Systems”, Information Technology and Management (2005), 203-225.

[6]: Arben Mullai, “Risk Management System – Risk Assessment Frameworks and Techniques”, DaGoB (2006).

[7]: NORMAN FERRIER and C. EMDAD HAQUE, “Hazards Risk Assessment Methodology for Emergency Managers: A Standardized Framework for Application”, Natural Hazards 28 (2003).

[8]: Emmanuelle Zambon, Sandro Etalle, Roel J. Wieringa, Pieter Hartel, “Model-based qualitative risk assessment for availability of IT infrastructures” (22 June 2010).

[9]: Fanny Lalonde Levesque, Jude Nsiempba, Jose M. Fernandez, Sonia Chiasson and Anil Somayaji, “A Clinical Study of Risk Factors Related to Malware Infections”, CCS 13 (2013).

[10]: Narayana Santhanam and Venkat Anantharam, “Agnostic insurability of model classes” (2013).

[11]: Spagnoletti, Paolo; Resca A., “The duality of Information Security Management: fighting against predictable and unpredictable threats”, Journal of Information System Security (2008), 46-6.

[12]: Predrag Tasevski, “Interactive Cyber Security Awareness Program”, LAP Lambert Academic Publishing (2012), 22-26.