NISTIR 8286A Risk Management Guide Part 3: Risk Tracking and Performing Risk Assessments



In Part 1 and 2 In this three-part series, I outlined how to get started setting up and managing system cybersecurity risk, as described in NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management. This article shows you how to use the tools described in the NIST guidelines to conduct a risk assessment and track risks throughout the life of a system.

What is risk assessment

A risk assessment determines the potential annual loss associated with any likely security or business continuity incident associated with a system. This is often represented in the formulaic model RISK = THREATS x VULNERABILITIES x BUSINESS IMPACT. NISTIR 8286A, published in November by the US Department of Commerce’s National Institute of Standards and Technology (NIST), uses a different model, as shown in Figure 1.

Figure 1: Inputs for risk scenario identification

The NIST model shows how the elements of risk are related to one another. Human and non-human threats or threat actors exploit vulnerabilities. Vulnerabilities are weaknesses in a system and the environment in which it operates that are caused by misconfiguration, coding errors, lack of adequate multilevel controls, lack of guidelines and user training, or other factors.

The evaluation process

NISTIR 8286A lists four phases in assessing the risk of a system:

  • Identification of the organization’s assets and each System classification and categorization
  • Identify likely threats to the confidentiality, integrity, and availability of the system
  • Identification and assessment of vulnerabilities and other predisposing conditions
  • Assess the potential business impact if a threat actor exploits one or more vulnerabilities to achieve attack targets

Identification and valuation of assets

To effectively manage information resource risk, an organization must understand the systems in operation and the data that each system processes, manages, or stores. This inventory is needed to create the risk register (see Part 2 of this series) and the assessment plan for each system.

Once the Risk Management Team (RMT) documents each system, it needs to classify and categorize them. The classification relates directly to confidentiality and privacy and is directly related to data. In other words, we rank data based on how important it is to protect it from unauthorized entities. The military classifies information as confidential, secret, and top secret. This can also apply to data owned by private organizations.

In addition to classification, an organization must categorize its systems. Categorization measures the negative business impact if the confidentiality, integrity, or availability of the system and its data is compromised. The video Data classification and categorization explains the process.

The categorization is mainly based on the data processed and the information generated by the system. As a result, the impact on downstream systems is also part of determining the value of a system to business operations.

Identify likely threats

There are many global threats to business. However, it is likely that only a subset of these threats will target a particular organization. As a result, security teams need to identify likely threats to resources and potential attack vectors. Attack vectors are used in the next step.

An organization can determine whether a particular threat is likely by looking at:

  • Industry attack history. Some industries are bigger targets than others. In addition, the RMT needs to understand what types of resources are common goals and whether these resources are present in its organization.
  • Types of Attacks. Threat actors target organizations for a variety of reasons, including

Ö terrorism

Ö Hacktivism

Ö Financial gain

Ö Theft of secrets by the nation-state

  • Geographical location. One threat related to geographic location is weather. Is the area affected by hurricanes, typhoons, tornadoes, floods, etc. Other considerations are political instability, crime rates and the local legal environment.

In summary, likely threats are based on a set of conditions that apply to an organization and its social, political, or other roles or positions. A comprehensive list of possible threats is available on the website Cybersecurity and Infrastructure Security Agency website and Appendix A of the Guide to airport cybersecurity best practices. However, these are common threats. Specific threat detection and analysis requires continuous threat intelligence activities.

Identification and evaluation of weak points

Vulnerabilities are weak points that an attacker exploits to achieve attack targets. Vulnerabilities consist of:

  • Misconfiguration of controls and assets
  • Coding error
  • Failure to effectively manage trust with entity authentication and segmentation
  • Lack of effective staff training
  • Lack of controls
  • Use of only one protective measure to protect an attack path (lack of multi-layered defense)

When a threat is identified, the RMT needs to understand the threat actor’s attack paths. The attack paths are then over a Attack tree or with a Abuse Chart. The team uses the tree or diagram to identify weaknesses in systems, network devices or security measures that could allow an attack.

It is important to remember that often a threat actor must exploit two or more vulnerabilities without them being discovered and interfered with. The ability of a threat actor to do this depends largely on the protective measures already in place, and the resulting impact is determined by the categorization of the affected systems and data.

Assess potential business impact

Business impact is influenced by two factors: the likelihood of occurrence and the adverse impact of a single event. The probability of occurrence measures the probability that a threat actor will launch a successful attack on the system to be assessed.

The probability is generally influenced by three factors:

  • Motivation of the threat actor
  • Skills required to attack
  • The nature of the existing vulnerabilities


The motivation increases with the value of the goal. The target value is not always about the financial gain that threat actors make. Motivation is also influenced by the threat actor’s motives.

For example, a hacktivist might target an organization because the victim holds or promotes social positions that the threat actor disagrees with. In another example, a nation-state threat actor could target a system to steal weapon system specifications. Each organization must judge whether it is a high quality target based on the industry, social perception, and the value of potential targets in their network.

Skills and weaknesses

The skills required and the type of weaknesses present are closely related. Every company has several vulnerabilities: known and unknown. However, the expertise required to exploit all the necessary vulnerabilities to achieve the target of the attack depends on the type of vulnerability and the preventive, detection and response protection measures in place.

It is not easy to collect all of this information and then determine the potential risk.

CVSS calculator

An effective tool for assessing likelihood and impact is the CVSS calculator. The assessment team enters information about the vulnerability, the existing security precautions and the effects of confidentiality, integrity and availability compromises.

The video Vulnerability Management and CVSS explains how to use the calculator to determine the real risk to an organization based on the factors discussed in this article. It’s a quality tool, but it’s very helpful in understanding gaps in protection from existing and emerging threats.

Report risk

Both organizational managers and IT teams need to understand the risks identified. While the detailed risk description for any threat is a good way of communicating with the technical teams, the risk description risk register needs to be more meaningful for managers. The following two descriptions are from NISTIR 8286A

  • An external criminal attack exploits a software vulnerability on the Internet-connected customer data site, resulting in a “significant” exfiltration of confidential customer data, with implications for revenue, reputation and regulatory implications.
  • A flood event penetrates the data center on the first floor, causing water damage to several critical servers and disrupting the services of more than 10% of customers.

These are very general descriptions. I would be more specific about the actual threat and its associated vulnerabilities. In any case, the description should be general enough for management to use, but also specific enough to allow discussions about risk management.

Final thoughts

There are many approaches to identify and manage risks. This series combines current NIST recommendations with other practical approaches. It is intended to provide guidance in determining your approach based on your company’s unique operating environment.

How efficient is your organization in tracking and managing cyber risks? Let us know on LinkedIn, Twitter, or Facebook. We’d love to hear from you!



About Author

Comments are closed.