• Sign In
  • Get Started
HomeGRC CentralRiskRisk Assessment Methodologies

6 Types of Risk Assessment Methodologies + How to Choose

6 Types of Risk Assessment Methodologies + How to Choose

What's Inside

Information risks are everywhere, but which ones matter most? Choosing the right risk assessment methodology can help you prioritize.

Contents
What Is Risk Assessment?Risk Assessment MethodologiesChoosing the Right Methodology

An organization’s sensitive information is under constant threat. Identifying those security risks is critical to protecting that information. But some risks are bigger than others. Some mitigation options are more expensive than others. How do you make the right decision? Adopting a formal risk assessment process gives you the information you need to set priorities. 

There are many ways to perform a risk assessment, each with its own benefits and drawbacks. We will help you find which of these six risk assessment methodologies works best for your organization.

What Is Risk Assessment?

Risk assessment is the way organizations decide what to do in the face of today’s complex security landscape. Threats and vulnerabilities are everywhere. They could come from an external actor or a careless user. They may even be built into the network infrastructure.

Decision makers need to understand the urgency of the organization’s risks as well as how much mitigation efforts will cost. Risk assessments help set these priorities. They evaluate the potential impact and probability of each risk. Decision makers can then evaluate which mitigation efforts to prioritize within the context of the organization’s strategy, budget, and timelines. 

Ready to Uplevel Your Risk Management Program?

Download this guide to help you implement a robust risk management program and learn how to achieve a proactive approach to risk.

Get the Guide

Risk Assessment Methodologies

Organizations can take several approaches to assess risks—quantitative, qualitative, semi-quantitative, asset-based, vulnerability-based, or threat-based. Each methodology can evaluate an organization’s risk posture, but they all require tradeoffs.

Quantitative

Quantitative methods bring analytical rigor to the process. Assets and risks receive dollar values. The resulting risk assessment can then be presented in financial terms that executives and board members easily understand. Cost-benefit analyses let decision makers prioritize mitigation options.

However, a quantitative methodology may not be appropriate. Some assets or risks are not easily quantifiable. Forcing them into this numerical approach requires judgment calls—undermining the assessment’s objectivity.

Quantitative methods can also be quite complex. Communicating the results beyond the boardroom can be difficult. In addition, some organizations do not have the internal expertise that quantitative risk assessments require. Organizations often take on the added cost to bring in consultants’ technical and financial skills.

Qualitative

Where quantitative methods take a scientific approach to risk assessment, qualitative methods take a more journalistic approach. Assessors meet with people throughout the organization. Employees share how, or whether, they would get their jobs done should a system go offline. Assessors use this input to categorize risks on rough scales such as High, Medium, or Low.

A qualitative risk assessment provides a general picture of how risks affect an organization’s operations.

People across the organization are more likely to understand qualitative risk assessments. On the other hand, these approaches are inherently subjective. The assessment team must develop easily-explained scenarios, develop questions and interview methodologies that avoid bias, and then interpret the results.

Without a solid financial foundation for cost-benefit analysis, mitigation options can be difficult to prioritize.

By utilizing Risk Management by Drata, Calendly began to engage in more strategic risk assessment and management—providing a clearer perspective and a more structured approach to prioritizing risk mitigation efforts.

Read the Story

Semi-Quantitative

Some organizations will combine the previous methodologies to create semi-quantitative risk assessments. Using this approach, organizations will use a numerical scale, such as 1-10 or 1-100, to assign a numerical risk value. Risk items that score in the lower third are grouped as low risk, the middle third as medium risk, and the higher third as high risk.

Blending quantitative and qualitative methodologies avoids the intense probability and asset-value calculations of the former while producing more analytical assessments than the latter. Semi-quantitative methodologies can be more objective and provide a sound basis for prioritizing risk items.

Asset-Based

Traditionally, organizations take an asset-based approach to assessing IT risk. Assets are composed of the hardware, software, and networks that handle an organization’s information—plus the information itself. An asset-based assessment generally follows a four-step process:

  • Inventory all assets.

  • Evaluate the effectiveness of existing controls.

  • Identify the threats and vulnerabilities of each asset.

  • Assess each risk’s potential impact.

Asset-based approaches are popular because they align with an IT department’s structure, operations, and culture. A firewall’s risks and controls are easy to understand.

However, asset-based approaches cannot produce complete risk assessments. Some risks are not part of the information infrastructure. Policies, processes, and other “soft” factors can expose the organization to as much danger as an unpatched firewall.

Vulnerability-Based

Vulnerability-based methodologies expand the scope of risk assessments beyond an organization’s assets. This process starts with an examination of the known weaknesses and deficiencies within organizational systems or the environments those systems operate within.

From there, assessors identify the possible threats that could exploit these vulnerabilities, along with the exploits’ potential consequences.

Tying vulnerability-based risk assessments with an organization’s vulnerability management process demonstrates effective risk management and vulnerability management processes.

Although this approach captures more of the risks than a purely asset-based assessment, it is based on known vulnerabilities and may not capture the full range of threats an organization faces.

Threat-Based

Threat-based methods can supply a more complete assessment of an organization’s overall risk posture. This approach evaluates the conditions that create risk. An asset audit will be part of the assessment since assets and their controls contribute to these conditions.

Threat-based approaches look beyond the physical infrastructure.

By evaluating the techniques threat actors use, for example, assessments may re-prioritize mitigation options. Cybersecurity training mitigates social engineering attacks. An asset-based assessment may prioritize systemic controls over employee training. A threat-based assessment, on the other hand, may find that increasing the frequency of cybersecurity training reduces risk at a lower cost.

Unlock End-to-End Risk Management

Proactively identify and address your organization's vulnerabilities to reduce and minimize the impact of unexpected events.

Learn More

Choosing the Right Methodology

None of these methodologies are perfect. Each has strengths and weaknesses. Fortunately, none of them are mutually exclusive. Whether intentionally or by circumstance, organizations often perform risk assessments that combine these approaches.

When designing your risk assessment process, the methodologies you use will depend on what you need to achieve and the nature of your organization.

If board-level and executive approvals are the most important criteria, then your approach will lean towards quantitative methods. More qualitative approaches might be better if you need support from employees and other stakeholders. Asset-based assessments align naturally with your IT organization while threat-based assessments address today’s complex cybersecurity landscape.

Constantly assessing your organization’s risk exposure is the only way to protect sensitive information from today’s cyber threats. Drata’s compliance automation platform can help. monitor your security controls to ensure your audit readiness.

Centralize and Streamline Your Risk Management Process

Drata automatically matches risks with pre-mapped controls to unlock the power of automated tests and put risk management on autopilot, saving you time, money, and helping your business focus on more strategic objectives

Schedule a Demo

Keep Reading

See More
6 Types of Risk Assessment Methodologies + How to Choose

ARTICLE

6 Types of Risk Assessment Methodologies + How to Choose

Penetration Testing Why It’s Important + Common Types

ARTICLE

Penetration Testing: Why It’s Important + Common Types

Recovery Point Objective (RPO) What It Is + Why It Matters

ARTICLE

Recovery Point Objective (RPO): What It Is + Why It Matters

Risk Register How to Build One + Examples

ARTICLE

Risk Register: How to Build One + Examples

Take Your Learning Further

Discover research, guides, templates, and other resources on risk management.

Explore Risk Hub