[Excerpted from "Measuring Risk: A Security Pro's Guide," a new report published this week on Dark Reading's Risk Management Tech Center.]

Every organization has valuable information assets -- whether it’s intellectual property; commercially valuable information and IT systems; or data on employees, customers and suppliers. An IT system failure, therefore, will adversely impact the organization to some degree.

IT professionals are charged with the often-daunting task of providing an assessment of the risk -- and potential damage -- associated with specific threats to company information systems. Complicating the task is the need to explain to senior management how a risk, and the likelihood that it will cause harm to the organization, was calculated.

With IT-related risks, you can’t construct tools that satisfy measurement theory. Even ISO Standard 27005 information security risk management, which is designed to help the implementation of information security based on a risk management approach -- doesn’t specify, recommend or even name any specific risk analysis methods.

Indeed, measuring the level of risk an organization faces is a big undertaking, so it makes sense to split risk assessments into defined areas of the business. These could include a physical location, such as a call center, or a business process, such as order fulfillment.

Documenting all the threats and quantifying the associated risks -- even for a small office or basic process -- usually takes a few weeks and can last up to several months for more complex regulated entities. Even if your company contracts with an outside consultant, internal staff will need to be involved. It’s therefore essential that everyone understands the terminology and concepts behind a risk assessment.

Any reports to senior management should begin by explaining these key concepts. The terms may seem basic, but it is important that everyone involved is using the same vocabulary and applying the terms in the same context.

A threat is something that can potentially cause damage to the organization.

A vulnerability is a weakness within the organization that can be exploited by a threat.

Risk is the possibility that a threat exploits a vulnerability and causes damage to the organization.

The estimated damage to the organization is its impact.

It should be made clear at this point that every organization has to live with threats; you cannot eliminate the threat of either lightning strikes or malicious cyber or even physical attacks. The first task, then, is to identify all the threats to your assets in the scope of the risk assessment.

To learn more about how to conduct a risk assessment -- and the tools that can be used to measure and report risk -- download the free guide to measuring IT security risk.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.