Information security risk assessment

Information security risk assessment

Whether it's confidential contracts, videos, or personal information about your customers, your business content needs to flow freely across your organization and out to vendors and clients. While you want information to move quickly, you don't want it to move so easily that it gets in the wrong hands.

Data breaches are an expensive part of modern work. The average data breach costs companies more than $3.9 million. Fortunately, there are tools available, such as Box Shield, to protect your company's confidential content and keep your data secure. 

Performing security risk assessments is also a critical part of keeping your company's content safe from prying eyes. In some instances, an IT security assessment might be required to keep your company in line with standards and stay compliant with applicable regulations.

What is an information security risk assessment?

An information security risk assessment lets you evaluate the risks and hazards your company faces

An information security risk assessment is a process that lets your company evaluate the risks and hazards it faces, such as having a third party gain access to confidential content. The assessment also lets you see how particular threats might evolve and identifies ways to respond to or reduce the likelihood of particular hazards or vulnerabilities. 

Usually, during a risk assessment, your company will identify multiple hazards or areas of concern. The key to the assessment's success is determining which threats are the most pressing. Ranking the hazards allows you to know what to focus on first. 

A risk assessment might be a seasonal process or an audit you conduct annually, depending on the technology you use and how frequently it changes.

Understanding risk

Before you begin a security risk assessment, it's important to understand what risk is, particularly in the context of information or cybersecurity. Risk is the potential for harm or loss that comes from an attack on or breach of your company's data or information and technology systems. One way to define risk is to look at it in the context of assets, vulnerability, and threats. 

Your content is your company's most valuable asset. Vulnerability refers to how exposed those files are to a potential attack, while threats describe the potential harm that can be done to your business' content. The theft of this critical content, such as a confidential product design, is an example of a threat. If you store the top-secret design specs in an unprotected file folder, it’s incredibly vulnerable to theft as well as other threats, meaning the overall risk is relatively high.

Why perform an information security risk assessment?

Conduct an assessment to recognize and minimize threats

Performing an information security risk assessment does require time, effort, and money. The time and money that the assessment requires are well worth it, though. Conducting the audit can help you recognize and minimize threats, reducing the potential for financial loss and for the loss of your clients' and customers’ trust. Knowing the benefits of a risk assessment can help you convince executives and stakeholders in your company that it’s essential.

Benefits of an IT risk assessment

A security risk assessment gives your organization the information it needs to make the most appropriate decisions, such as which assets to focus on protecting and how to go about protecting them. Some of the reasons to perform an IT security assessment include:

Benefits of an IT risk assessment

To save money

Although you will spend money and time performing the assessment, in the long run, the audit itself can help your company save a considerable amount. A single data or security breach could cost your company millions of dollars. There's also the cost of lost business to consider, such as from customers who might be hesitant to work with you following a breach.  

To maintain compliance

A security assessment might be required for your company to remain in compliance with specific standards or regulations. For example, if your company does business in Europe, it needs to comply with the General Data Protection Regulation (GDPR), which spells out the rules for protecting the personal data of people. Another standard you might need to comply with is ISO 27001, which outlines the requirements for an information security management system.

To increase productivity

Regularly performing risk assessments can make your team more productive in a couple of ways. First, the assessments take the pressure off of your team by allowing for frictionless security and protection. When you know exactly what needs protecting and the type of protection it requires, you can set up controls that automate the security process. An assessment also increases productivity by keeping you from focusing on less critical security measures or less risky concerns. You can determine what areas are the most vulnerable or where the threats are most significant and decide what to do about them.

To improve communication

An information security risk assessment can improve communication across and between departments at your organization. Part of the assessment involves identifying assets, vulnerabilities, and potential threats. All relevant departments will need to work together to identify items in those three categories. The risk assessment can also serve as an educational opportunity across your organization. It allows people to see the value and need for information and cybersecurity and gives them the tools and knowledge necessary to keep themselves and the company's content safe.

Gain peace of mind

A company's executive team and relevant stakeholders can sleep better at night knowing that they have done what is necessary to keep information safe and secure. Knowing that there is a process in place to help protect your company's most critical and confidential data can give you invaluable peace of mind. 

What is the information security risk assessment process?

Once you understand the benefits of an IT risk assessment, it's time to roll up your sleeves and start the process. When it comes to information security risk assessment methodology, you have two options. You can perform a qualitative assessment or a quantitative assessment. Here's what each type of assessment looks like:

IT risk assessment methodology - There are two approaches you can take


A qualitative approach to IT risk assessment focuses on specific examples and uses scenarios to get an idea of the vulnerabilities and threats present — and is generally more subjective than a quantitative approach.


If you use a quantitative methodology during your assessment, you will likely assign numbers or values to vulnerabilities, threats, and assets, also looking at the numbers in terms of time and cost. For example, you might ask how much a data breach would cost your company or how long it would take to get your content back under control.

In many cases, using a combination of the two methodologies is the way to go. The numbers and data you gain from a quantitative approach can give you the cold, hard facts but won't necessarily help you understand what to do with the information. The insight you gain from a qualitative approach to risk assessment can help you figure out how to respond to a breach and the type of training that your staff might need to minimize the risk of a breach in the future.

Whether you use a qualitative method, a quantitative method, or a combination of both, here are the steps to follow during the assessment process.

The first step is to identify your organization's assets and content

1. Identify your company's assets

Step one is to identify your organization's assets and content. The assets your company has can vary from organization to organization or even from department to department. For example, your sales team might have assets such as a customer relations management (CRM) program. Your marketing team might have videos and storylines they want to protect, and your human resources department might have employment contracts and other private employee information, such as contact information and Social Security numbers.

Part of identifying your company's assets or content is sorting that content into categories based on its type and its access level. Marketing videos might fall into the public category, for example — your company created them with the goal and intention of sharing them with the public. If a completed video gets leaked just before it has been officially released, it might harm a marketing strategy, but ultimately, the consequences for your company aren't likely to be significant in the long run.

However, storylines for ideas that aren't fully developed likely wouldn't fall into the public category. Instead, they might belong to the internal category. This means anyone from your organization can access them. They could even fall into the confidential category, meaning they are meant for the eyes of the marketing team only. 

Restricted content can include contracts and employee information. The assets are only meant to be seen by authorized individuals. If the information in restricted content gets out through a breach, the company could face legal or financial consequences. 

2. Detect vulnerabilities

Detect vulnerabilities - determine any vulnerabilities your company's assets face

Once you've identified and sorted your company's assets, the next step is to determine any vulnerabilities those assets face. A vulnerability is a weakness in your existing system. Examples of vulnerabilities include:

  • Data that isn't encrypted
  • Files that aren't password protected
  • Out-of-date software programs
  • Weak employee passwords
  • Employee accounts that remain active after a person has left or been terminated from the company
  • Encryption programs that aren't verified or tested

Vulnerabilities can also lie outside of the IT or software programs your company uses. For example, if you don't train people on the best practices for protecting data, there is the chance that they will inadvertently contribute to a leak or breach. An employee might leave a file open on a computer after stepping away, for example, or log onto the company's content management system when connected to an unsecured Wi-Fi network. 

3. Identify threats

Vulnerabilities on their own might not be much of a problem. If an employee leaves a confidential contract open on their desktop and no one comes by to access it or read it while the employee is away from their desk, there isn't an issue. The same is true of unencrypted data. If there isn't anyone to intercept the data, there is relatively little cause for concern.

A threat is something that can exploit or take advantage of a vulnerability, leading to harm to your company's content. If you don't encrypt your data and it travels across a network, a hacker can intercept it, using the data for nefarious purposes. If an employee leaves a contract open on their desktop and someone from another company happens to pass by and see it, they can take a photo or print out the contract, getting access to private information. 

Threats don't always have to be malicious. They can also be accidental. For example, if an employee is creating a storyboard for an advertisement but doesn't save it as they go, there is the chance that the content will get lost if the power gets cut or the computer crashes. An employee might also inadvertently fall for a phishing attack, revealing confidential information, or accidentally install malware on a device. 

4. Identify consequences

A key part of a security risk assessment is determining what will happen if a threat succeeds in exploiting a vulnerability.  If an employee leaves their personal email open on their desktop, and another employee happens to read it, the first employee might feel some embarrassment. The overall threat, however, is relatively harmless, so the consequences aren't severe.

But if an employee emails an unencrypted document listing the company's upcoming, top-secret product launches to a colleague and someone intercepts the email, the consequences of the breach might be more serious. An unscrupulous competitor could get access to the document and might rush similar products to market before the company releases its own. 

Additionally, if customer information isn't stored in a secure location or remains unencrypted, a hacker can access it, sell it, and cause lasting harm to the customers who had their information stolen and to the company itself. This can also lead to a loss of customer confidence in the company.

Determine the likelihood of threats

5. Determine the likelihood

Another essential part of a security risk assessment is determining how likely certain threats are to occur. Some are longshots, while others are highly probable. After identifying various threats, create a ranking system to establish their likelihood. For example, if the data you share across a network remains unencrypted, the likelihood of someone intercepting it is high. In contrast, the likelihood of a competitor breaking into one of your company's offices and stealing information off of a desktop is most likely pretty low. 

You can use a numeric system, such as 1 to 5, to rank likelihood — or use words like "high," "medium," or "low." Ranking threats by likelihood lets you decide where to focus your efforts after you finish the assessment.

6. Order or prioritize IT risks

Your risk assessment should order the vulnerabilities and threats that could occur. Risk priority can be associated with likelihood but doesn't have to be. A threat that's likely to occur might not be particularly critical. An unlikely threat might be critical, though. You'll want to strike a balance between the two. A particularly critical threat, such as a hacker stealing your customer information or a competitor gaining access to your next big idea, might also be highly probable and worth your attention.

Consider these factors when prioritizing IT risks

The factors to pay attention to when prioritizing IT risks include:

  • Likelihood
  • Consequences
  • Vulnerability
  • Threat
  • Cost

For example, one threat might be a risk of flooding, which could damage your company's servers and require them to be replaced. If your servers are on a high floor in the building, however, they aren't likely to be damaged by flood water even if you are located in a flood-prone area. Protecting your content from a flood would then be a low priority.

7. Assess and implement controls

Once you've identified vulnerabilities, threats, likelihood, and consequences, the next step is to determine what you'll do about it. What efforts will you make to control the situation and reduce risk?

Your controls can take multiple forms. You might establish ways to minimize vulnerabilities, or you might seek out ways to eliminate threats. If a vulnerability is poorly trained employees or employees who don't know how to create strong passwords, a potential control could be a security training program — or issuing instructions for creating stronger passwords. If outdated software is a vulnerability, creating an update schedule can eliminate it.

In the case of a threat, the control's goal might be to either eliminate the threat or reduce the damage it could cause. For example, you might implement a control that detects when a third party is trying to break into your system. Detecting a hacker in the early stages allows you to take swift action, preventing them from accessing sensitive information. 

Programming all of the desktops in your office building to go to sleep after a short period of inactivity can keep unauthorized people from viewing restricted content if someone has to step away from their desk suddenly. Automatically logging remote users off after a period of inactivity is another way to reduce the threat of unauthorized access.

8.  Publish results  

The last step in the risk assessment process is publishing the results of the assessment and taking action. Your company will then have to decide who can view the results. Most likely, executives and other decision-makers will want to review the assessment to see what's at stake and understand what actions they need to take. The results can also help IT push for organization-wide changes, such as using a more secure content management system or offering stronger employee training.

Box Consulting assesses your data protection needs

Box Consulting can provide expert guidance, industry insight, and a tailored roadmap for your organization’s information security. The complimentary data protection assessment Box Consulting conducts starts with a survey detailing your specific security needs. Box Consulting security experts then combine your needs with Box's best practices. A meeting with Box Consulting provides a full readout and roadmap to meet your security goals.

Box Shield helps protect your information and keep your company in compliance

At the end of your information security risk assessment, you should have a better understanding of where your company's content is vulnerable and what threats your business information faces. Having that information gives you the power to take action to protect your sensitive documents, contracts, videos, and other files while keeping your business processes streamlined and operating smoothly.

Box Shield builds on the Content Cloud platform, reducing your company's risk and protecting your content without interfering with your workflow or creating any friction that slows down your company. With our platform, you can classify your content, set up controls that prevent data leaks, and stay up to date on threats and potential attacks. To learn more about how Box Shield can protect your content without disrupting your business, take a look at this research paper from IDC and check out our datasheet.

Box Shield is one of several Box products bundled in our Enterprise Suites. To learn more about our platform and see why 67% of Fortune 500 companies choose Box,get in touch with us today.

Explore how Box Shield protects your valuable information

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.