Describe The Steps To Conduct A Risk Assessment To Achieve

August 24, 2022 0 Comments

Describe The Steps To Conduct A Risk Assessment To Achieve The Goals For Information Security

Case Assignment
There are various methods in conducting a risk assessment. Any method used is likely to include in some shape or form hazards, vulnerabilities and impacts. Once completed, this risk assessment can be used to develop strategies to prepare, respond, recover, and mitigate cyber threats.

For this case, answer the following:

Describe the steps to conduct a risk assessment to achieve the goals for information security (availability, integrity, confidentiality, accountability, and assurance).

Assignment Expectations
Assignments should be 3-5 full pages, double-spaced, not counting the cover or reference page. Paper format: (a) Cover page, (b) Header, (c) Body. Submit your assignment by the last day of this module. Provide quotations to support your responses.

Relevance—All content is connected to the question.
Precision—Specific question is addressed. Statements, facts, and statistics are specific and accurate.
Depth of discussion—Present and integrate points that lead to deeper issues.
Breadth—Multiple perspectives and references, multiple issues/factors considered.
Evidence—Points are well-supported with facts, statistics and references.
Logic—Presented discussion makes sense; conclusions are logically supported by premises, statements, or factual information.
Clarity—Writing is concise, understandable, and contains sufficient detail or examples.
Objectivity—Avoids use of first person and subjective bias.
References—Sources are listed at the end of the paper.
Use strong credible sources – peer-reviewed references, government documents, and subject matter expert materials to support your answer. Your paper will not exceed 5 pages (excluding cover sheet and reference page(s).


Boot, Max (2015, July 12). What is the greatest threat to U.S. national security? Commentary. Retrieved from

Causey, B. (2013, January), How to conduct an effective IT security risk assessment. Retrieved from

Hartwig, R. P. (2014). Cyber risks: The growing threat. Insurance Information Institute. Retrieved from

Howard, T., & Cruz, J. (2017). A cyber vulnerability assessment of the U.S. Navy in the 21st Century. Retrieved from

Romanosky, S., Ablon, L., & Kuehn, A. (2017). A content analysis of cyber insurance policies. RAND. Retrieved from

Describe The Steps To Conduct A Risk Assessment To Achieve The Goals For Information Security (Availability, Integrity, Confidentiality, Accountability, And Assurance)
Risk is the probability of uncertain events occurring in the duration of the implementation and evaluation of a project. Research indicates that there are possibilities for a negative or a positive outcome from the propagation of a risk during the duration of a project, as in the past; risk was only assumed to lead to negative consequences (Pinto, 2012). In this regard, risk can either be an opportunity or a threat to any organization. Risk assessment management comes in as the organizational capacity to tackle the potential problems that a project could encounter in the course of its implementation (Federal Emergency Management Agency (FEMA), n.d.). Risk management provisions mitigative measures to any problem and relies on a specific framework to deal with the opportunity or threat brought by the uncertain event (Pinto, 2012). It provides a mitigative measure by identifying the problem, its analysis, and the capacity to respond to the risk factors before the problem occurs or ways to deal with it.
Categorically, the difference between a project’s success and a failure is based on the project’s ability to successfully institute a capable risk management program based on the interest of the project objectives and its successes thus far. Information security is a dynamic field with constant development and, as such, an increased propensity for the development of risk (Hartwig, 2014). Data breaches across the US corporate sector have become commonplace, and now it is not a matter of if they will occur but when they will occur (Romanosky, Ablon, and Kuehn, 2017). Risk assessment allows the organization to establish the acceptable risks levels to outline control measures (Metivier, 2017). Risk assessment becomes an important provision in the information security field. It allows for monitoring assets and works to provide proper parameters and minimum security requirements needed to conduct risk management.
The United States Navy, as an institution, can be reviewed for information security risk assessment. Howard and Cruz (2017) identify that the navy has a litany of cybersecurity technical controls to counter threats that include DMZs, firewalls, and vulnerability scanning (making it a perfect organization to help evaluate risk assessment strategies). Firstly, a clear policy needs to be implemented and understood by the workforce. More importantly, researchers outline that “organizational culture centers around the acceptance of the policy throughout the workforce, management’s support of the policy, and security awareness by all personnel” (Howard and Cruz, 2017). In the case of the US Navy, information security policies are created to identify threats and vulnerabilities. The US Navy has developed a standardized model on a risk assessment that summarily provides a holistic framework on information security risk assessment. Howard and Cruz (2017) outline that access control and monitoring are two must-have technical security controls established through previously documented risk assessment results and evaluating insider and external threats.
Having established the need for risk management, below is a process that definitively describes the steps of risk management using the US Navy risk management framework adopted in 2012. The framework is better regarded due to the navy’s information security system complexity and the better-than-average management of its IT security systems. AS APPLIED BY THE NAVY, the NIST Risk management framework (RMF) has a well-established process that.
1. Categorizes the system: This involves categorizing the system into various levels of control protection. In each system, different levels of cybersecurity controls are instituted depending on how critical the system safety is to the organization.
2. Select appropriate security controls: Relative to the function in place, the program instituted needs to ensure the implementation of security controls does not affect the program’s functionality.
3. Implement controls: implementation considers the ever-growing threat from both insider and external systems. It accounts for the risks and technical factors involved.
4. Assess their effectiveness
5. Authorize system to operate
6. Monitor their use for process improvement: Here, documentation is emphasized to record the process. Knowledge on the risk is documented, and the process of solving the identified problems is annotated and stored for future projects.
The steps above, while complex, have been created to meet the needs under a fruitful risk management triad. Causey (2013) states that risk assessment, risk mitigation, evaluation, and assessment need to be paramount in any risk management framework. Metivier (2017) outlines that there are four stages in risk management they include:
1. Risk identification and assessment— where all possible risks are defined.
2. Analysis of probability and consequences— potential impacts of risks are identified.
3. Risk mitigation strategies— precautionary steps are underlined and implemented; a greater focus is placed on risks likely to derail the project.
4. Control and documentation— documentation is done for future projects.

Under risk assessment Causey, (2013) outlines a more comprehensive strategy that includes:
1. The asset is identified by evaluating the system life cycle.
2. Threats are identified: Causey (2013) outlines that it becomes important to identify how the notion of threat and vulnerability connect under this stage. Threat assessment is the most crucial of steps in risk management.
3. Vulnerabilities are specified: This is performed through scanning to outline potential sites that will be compromised. It is also the most challenging part of IT security risk assessment.
4. Metrics are developed: IT security risk assessment is complex and subjective to different types of risk, and a clear subjective framework becomes important to identify the severity of the risk.
5. Historical data breaches are considered: This is where documentation comes in necessary as it provides evidence-based solutions feeding prior risks.
6. Cost is calculated: The impact severity matrix might establish the levels of risk and apply relevant cost factors to establish the total cost incurred.
7. Fluid Risk-to-asset tracking is performed: Risk assessment needs to be fluid and easily adaptable to the changing dynamic and threats in the field. Assessment as such should be constant and easily adaptable.

Causey, B. (2013, January), How to conduct an effective IT security risk assessment. Retrieved from
Hartwig, R. P. (2014). Cyber risks: The growing threat. Insurance Information Institute. Retrieved from
Howard, T., & Cruz, J. (2017). A cyber vulnerability assessment of the US Navy in the 21st Century. Retrieved from
Metivier, B. (2017). How to Define Cybersecurity Risk. Retrieved from Tyler Cybersecurity / Sage Advice – Cybersecurity:
Pinto, J.K. (2012) “Project Management A Competitive Advantage. 2nd Ed.” London: Pearson Education Limited (pp. 21 – 28) Additional Reading.
Romanosky, S., Ablon, L., & Kuehn, A. (2017). A content analysis of cyber insurance policies. RAND. Retrieved from