Risk Analysis or Risk Assessment? Know the Difference

One thing we learn from Factor Analysis of Information Risk(that’s the FAIR model that powers the RiskLens cyber risk analytics platform) is to take a disciplined approach to our thinking and language about risk. A good example: “risk analysis” vs. “risk assessment,” two terms commonly thrown around as interchangeable — but there is an important difference.

FAIR practitioners know that a risk analysis is part of the larger risk assessment process.

A risk assessment should include:

1. Identification of the issues that contribute to risk.

In other words, scoping. The end result is a scenario, a clearly defined problem statement that stakeholders agree is the risk to be analyzed.

As part of scoping, the team identifies:

  • What is our loss event? For instance, inability to access the website due to a DDOS attack.
  • What assets are we concerned with?For instance, personally identifiable customer information in a database.
  • What threat actors are we focusing on? For instance, cyber criminals or malicious employees.
  • What type of effect are we concerned with – a breach, outage, or fraud related scenario?

Read moreHow to Scope a Risk Analysis with FAIR

2. Risk analysis – FAIR comes in here

Perform a quantitative analysis of the risk identified during the scoping phase. In other words, using FAIR, measure the probable frequency and probable magnitude of future loss: the FAIR definition of “risk”.

3. Identifying options for dealing with the risk issue.

Will decision-makers accept the risk and move on or would they like to mitigate this risk? If we’re leaning towards the latter, take these steps:

  • Decide what control, system, process, or solution the organization is hoping to implement to mitigate this risk.
  • Determine where the control falls within the FAIR model. FAIR categorizes controls into 4 buckets (avoidance, deterrence, resistance/vulnerability and responsive) to evaluate their effectiveness.
The FAIR model for cyber risk analysis is in use at about 30% of Fortune 100 companies. Gartner recently called cyber risk quantification a must-have for forward-looking companies practicing Integrated Risk Management (IRM). 

4. Determining which option is likely to be the best fit – use FAIR here, too.

Within the RiskLens tool you are able to use the reporting to gain an understanding of where each solution could give you the best ROI. See this report from RiskLens on potential solutions for risk around phishing:

Risk Assessment or Risk Analysis RiskLens Analysis Output

5. Communicating results and recommendations to decision-makers.

Report on your results and provide your stakeholders with the various investment options. Using the FAIR model and the RiskLens tool, you are able to confidently present a complete risk assessment based on a defensible risk analysis of the significance of the risk and a comparison of the options to mitigate it.


Case Study: Risk Team Finds the Best Data Protection Solution Based on ROI

What Does RiskLens Reporting Tell Me?