How to perform risk analysis for NIS2

Last updated: 2023-12-15

5 practical steps of asset-based risk analysis for NIS2

Analysis and risk assessment as required by the NIS2 is performed based on identified assets, vulnerabilities and threats. We will guide you through the process based in five basic steps so you don't drown in them. There are certainly other procedures, this is just one possible approach.

Step 1: Identify your assets

Assets are a key focus of risk analysis. Everything depends on them. Primary assets are your data (and possibly key services) and supporting assets as everything else you need to have to make your system work. First you need to focus on identifying your primary assets.

Identify Primary Assets

Primary assets are information or data that stands at the top of the imaginary pyramid. Services can also be included among the primary assets, but we recommend focusing only on data and information so you don't get tangled up in it. So, primary assets are data or information that if you don't have or if it doesn't work, your organization can't function either, it can't fulfill its mission. So these are essential to the functioning of your organization

  • Primary assets are information and data essential to the functioning of the organization
  • Take a look at the procedure, how to identify primary assets

Identify supporting assets

Supporting assets ensure the functionality or availability of primary assets. Each primary asset is dependent on one or more supporting assets, and therefore you need to track these dependencies to perform the analysis. The supporting assets are typically:

  • Further data and information
  • IT services
  • Infrastructure services (e.g. electricity supply)
  • Hardware -Computer technology, networks, and other IT technology
  • Media and data carriers
  • Staff
  • Premises and facilities

Identify the guarantors of the assets

  • Each asset, primary or support, must have a clearly identified responsible person 'Guarantor'
  • Guarantors know their assets well
  • Asset guarantors are responsible for managing and controlling the security of an asset throughout its lifetime

Identify dependencies of primary assets on supporting assets

  • It's important to know where your data is stored or what it depends on, and therefore how any unavailability of supporting assets such as technology, services, systems, people, applications will affect the unavailability of your data.
  • The links between the primary and supporting assets will help you get an idea of the interdependencies. 

Make an assessment of all your assets

  • The asset valuation is based primarily on the opinion of the guarantor of the asset
  • So, with the help of the guarantors, assess all assets for confidentiality, availability and integrity.
  • The value of each asset is determined by its impact, i.e. the degree of damage that will result from its deterioration or loss.

You now have a list of your assets. Enter them all into the asset Organizer, for each create dependencies between primary and supporting assets. In the next step you create a list of threats.

Recommended asset importance levels according to their impact on the organization

  1. Low - the impact is at the level of discomfort
  2. Medium - minor injury
  3. High - serious injury
  4. Critical - leads to serious impacts on the organisation, which are long-term and irreversible

Step 3: Identify vulnerabilities

Vulnerabilities are the weak points of an asset, i.e. how the asset can be attacked or damaged. These are known vulnerabilities that you know about that can be subject to some kind of attack or threat. Carefully analyze each asset and identify and assign potential vulnerabilities to it.

Identify vulnerabilities to each asset

Proceed from each asset. Each has its own vulnerabilities. Write these down and create a link to the asset. Vulnerabilities can be

  • Insufficient staff knowledge of cyber threats
  • incorrectly assigned permissions when an employee starts work
  • not taking away employees' privileges when they leave
  • lack of backup
  • insufficient establishment of safety rules
  • insufficient maintenance of the information system
  • inappropriate access permission settings
  • insufficient monitoring of users and administrators
  • Inability to detect fraudulent or malicious user behaviour

Assess your system's vulnerabilities

  • Vulnerability assessments shall be carried out according to criteria established in the opinion of the asset manager
  • For each vulnerability, determine its level on the recommended scale

Recommended vulnerability levels

  1. Low - Vulnerability does not exist or is unlikely to be exploited
  2. Medium - Exploitation of the vulnerability is unlikely. There are no known successful attempts to exploit it
  3. High - Exploitation of the vulnerability is very likely. Partial successful attempts to exploit it are known

Step 2: Identify threats

Every asset can succumb to some threats. Carefully analyze each asset and identify and assign potential threats such as.

  • Mistakes or bad intentions of people
  • Cyber attacks
  • Natural threats
  • Technical failures and shortcomings
  • Failure of support services

Assess the threats

  • Threat assessment is performed according to the opinion of the asset manager
  • Assign each threat one of the following levels

Recommended threat assessment levels

  1. Low - The threat is non-existent or unlikely. Does not occur more often than once every 5 years.
  2. Medium - Threat is unlikely to likely. Occurs in the range of 1 year to 5 years.
  3. High - Threat is likely to very likely. Occurs in the range of 1 month to 1 year.
  4. Critical - The threat is very likely to more or less certain. Occurs more often than once a month.

Step 4: Name the risks and assign owners to them

Based on the first three steps, identify the risks and their owners. The risk owners have the responsibility for managing the risks and have sufficient authority to manage the risk. Use the risk register to describe each risk.

Identify risks

  • Risks are the intersection of assets, vulnerabilities and threats
  • Individual risks correspond to individual threats that can damage a specific asset through vulnerabilities and thus cause damage
  • Each sub-risk thus relates to each notional intersection of asset, vulnerability and threat

Determine your risk levels

  • You must create priorities in the risk list. You cannot tackle everything at once
  • You need to categorize risks according to their severity and impact on your organization
  • You will do this for each individual risk
  • The risks are most often divided into three groups as follows:
  1. low, acceptable - risk can be accepted
  2. medium risk - action needs to be planned
  3. high risk - immediate action must be taken

Evaluate and select the risks that put you most at risk

  • For each individual risk, calculate its level using the following formula:
  • Risk = Value of affected asset x Threat level x Vulnerability level
  • Each sub-risk has a calculated score, which places it in the appropriate level of the three risk levels.
  • You will classify the risks as low, medium or high risk in the above groups
  • Group risks into low (acceptable), medium and high risks

Assess the risks in detail

  • For high and medium risks, carry out a detailed assessment
  • High risks require the most attention
  • In the next step, you will determine how to manage each risk to ideally reach an acceptable level

Step 5: Determine how you treat the risks

For each risk, you determine how you will approach it, how you want to treat it. The optimal goal is to achieve acceptability for all risks, i.e. to reduce their value to an acceptable level. A risk may be accepted because of its low level or if any action would be difficult to implement or disproportionately costly. According to the level of risk, priorities for solutions are determined and adequate measures are proposed.

How you can treat the risks

  1. Mitigate it
  2. Transfer it to someone else
  3. Avoiding it
  4. Accept it

Mitigate the risk

  • Mitigating it is the most widely used approach.
  • It means taking measures to help bring the risk down to an acceptable level
  • An example is training staff on cyber attacks, this will help reduce the likelihood of someone taking advantage of their ignorance

You transfer the risk to someone else

  • This method is suitable if you can find someone else in the market who can manage the risk better
  • Typical examples are insurance or outsourcing

Avoid the risk

  • It means not doing the thing in question and thus eliminating the risk
  • It is a negative way of dealing with risk

You accept the risk

  • This means that you will accept the risk as it is
  • Low risks or risks with high mitigation costs can be accepted
  • Even medium risks can be accepted
  • You should not address high risks in this way unless other measures are disproportionately costly