Special Publication 800-30 Guide for Conducting Risk Assessments
________________________________________________________________________________________________
CHAPTER 3 PAGE 27
management strategy, the information need not be repeated in each individual risk assessment. Organizations address
impacts at a level of detail that includes, for example, specific mission/business processes or information resources
(e.g., information, personnel, equipment, funds, and information technology). Organizations may include information
from Business Impact Analyses with regard to providing impact information for risk assessments. Table H-2 provides
representative examples of types of impacts (i.e., harm) that can be considered by organizations. Organizational
assumptions about how to determine impacts and at what level of detail, inform Task 2-5.
Risk Tolerance and Uncertainty
Organizations determine the levels and types of risk that are acceptable. Risk tolerance is determined as part of the
organizational risk management strategy to ensure consistency across the organization. Organizations also provide
guidance on how to identify reasons for uncertainty when risk factors are assessed, since uncertainty in one or more
factors will propagate to the resulting evaluation of level of risk, and how to compensate for incomplete, imperfect, or
assumption-dependent estimates. Consideration of uncertainty is especially important when organizations consider
advanced persistent threats (APT) since assessments of the likelihood of threat event occurrence can have a great
degree of uncertainty. To compensate, organizations can take a variety of approaches to determine likelihood, ranging
from assuming the worst-case likelihood (certain to happen sometime in the foreseeable future) to assuming that if an
event has not been observed, it is unlikely to happen. Organizations also determine what levels of risk (combination of
likelihood and impact) indicate that no further analysis of any risk factors is needed.
Analytic Approach
Risk assessments include both assessment approaches (i.e., quantitative, qualitative, semi-quantitative) and analysis
approaches (i.e., threat-oriented, asset/impact-oriented, vulnerability-oriented). Together, the assessment and analysis
approaches form the analytic approach for the risk assessment. Organizations determine the level of detail and in what
form, threats are analyzed including the level of granularity to describe threat events or threat scenarios. Different
analysis approaches can lead to different levels of detail in characterizing adverse events for which likelihoods are
determined. For example, an adverse event could be characterized in several ways (with increasing levels of detail): (i)
a threat event (for which the likelihood is determined by taking the maximum overall threat sources); (ii) a pairing of a
threat event and a threat source; or (iii) a detailed threat scenario/attack tree. In general, organizations can be expected
to require more detail for highly critical missions/business functions, common infrastructures, or shared services on
which multiple missions or business functions depend (as common points of failure), and information systems with
high criticality or sensitivity. Mission/business owners may amplify this guidance for risk hot spots (information
systems, services, or critical infrastructure components of particular concern) in mission/business segments.
IDENTIFY INFORMATION SOURCES
TASK 1-4:
Identify the sources of descriptive, threat, vulnerability, and impact information to be used in the
risk assessment.
Supplemental Guidance: Descriptive information enables organizations to be able to determine the relevance of threat
and vulnerability information. At Tier 1, descriptive information can include, for example, the type of risk management
and information security governance structures in place within organizations and how the organization identifies and
prioritizes critical missions/business functions. At Tier 2, descriptive information can include, for example, information
about: (i) organizational mission/business processes, functional management processes, and information flows; (ii)
enterprise architecture, information security architecture, and the technical/process flow architectures of the systems,
common infrastructures, and shared services that fall within the scope of the risk assessment; and (iii) the external
environments in which organizations operate including, for example, the relationships and dependencies with external
providers. Such information is typically found in architectural documentation (particularly documentation of high-level
operational views), business continuity plans, and risk assessment reports for organizational information systems,
common infrastructures, and shared services that fall within the scope of the risk assessment. At Tier 3, descriptive
information can include, for example, information about: (i) the design of and technologies used in organizational
information systems; (ii) the environment in which the systems operate; (iii) connectivity to and dependency on other
information systems; and (iv) dependencies on common infrastructures or shared services. Such information is found in
system documentation, contingency plans, and risk assessment reports for other information systems, infrastructures,
and services.
Sources of information as described in Tables D-1, E-1, F-1, H-1, and I-1 can be either internal or external to
organizations. Internal sources of information that can provide insights into both threats and vulnerabilities can include,
for example, risk assessment reports, incident reports, security logs, trouble tickets, and monitoring results. Note that
internally, information from risk assessment reports at one tier can serve as input to risk assessments at other tiers.
Mission/business owners are encouraged to identify not only common infrastructure and/or support services they
depend on, but also those they might use under specific operational circumstances. External sources of threat
information can include cross-community organizations (e.g., US Computer Emergency Readiness Team [US-CERT],
sector partners (e.g., Defense Industrial Base [DIB] using the DoD-Defense Industrial Base Collaborative Information