Weaknesses in existing security programs occur over time because of changes in the organisation’s scope of operations and therefore capacities. It then leads to new vulnerabilities that can be exploited leading to heightened risk as threats are likely to be more easily exploited with increased potential for loss.
Organizations should carry out threat and risk assessments periodically, in fixed intervals or deliberately as a result of a material change in the scope of operations.
A threat and risk assessment aims to identify vulnerabilities, potential threats linked to those vulnerabilities and an evaluation of the risks that emerge.
Assets + Threats + Vulnerability = Risk
Periodic assessments will help the organisation adapt to changes in the levels of threat and risk and avoid costly losses and disruptions.
In this use case a series of fundamental questions are resolved in a Threat & Risk Assessment:
- What needs to be protected?
- What are the threats and vulnerabilities?
- What are the implications if the vulnerabilities were exploited?
- What is the value to the organization?
- What can be done to minimize exposure to the loss or damage?