Summary
The SANS presentation Why Take the Risk? Doing Risk Assessments Right by Matthew J. Harmon, delivered at the 30th Annual Minnesota Government IT Symposium on December 7, 2011, lays out a structured approach for organizations to identify, analyze, and manage IT risks. Harmon draws on industry standards and real-world examples to show how a disciplined risk assessment process can both prevent loss and add strategic value.
Risks and Probability
First, the talk defines an IT risk assessment as an analysis of system assets and vulnerabilities to establish an expected loss from certain events based on estimated probabilities, per the Department of the Navy (OPNAVINST 5239.1A) and ISO Guide 73:2009. Key terminology such as threat agents, vulnerabilities, impact, and riskis clarified, with threats described as anything capable of harming an asset and risk framed as a function of likelihood and impact. Harmon emphasizes that thorough identification of assets, threat scenarios, and existing controls is essential to determine whether current safeguards reduce risk to acceptable levels.
Frameworks
Second, Harmon surveys leading frameworks like NIST SP 800-30, ISO 27005, ISO 31010, FAIR, and OCTAVE and maps them onto a Plan-Do-Check-Act lifecycle. The process begins with planning and establishing context, then moves through asset and threat identification, vulnerability analysis, and impact assessment. He details methods for both quantitative (e.g., Annualized Loss Expectancy calculations) and qualitative (e.g., Low/Medium/High scales) analyses, and outlines risk treatment optionsaccept, mitigate, transfer, or avoidguided by senior-management engagement. The presentation concludes by stressing the importance of actionable treatment plans, ongoing monitoring, and regular reviews to maintain and improve organizational resilience.