Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Ernie Hayden
Ernie Hayden
Connect Directly
E-Mail vvv

Reworking the Taxonomy for Richer Risk Assessments

By accommodating unique requirements and conditions at different sites, security pros can dig deeper get a clearer sense of organizational risk.

For many years, I have been performing risk assessments of multiple large facilities. These risk assessments have ranged from major power plants to large substations to oil/gas pipelines to oil sands facilities to multistory office buildings. One thing I began to realize over the years is that each risk assessment had its own nuances; however, the approach I took was generally the same.

The assessments are generally conducted following three phases: pre-assessment/planning, on-site risk assessment, and reporting.

Related Content:

Key Considerations & Best Practices for Establishing a Secure Remote Workforce

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: An Uncommon 20 Years of Commonly Enumerating Vulns

Admittedly, this looks rather simple. There are multiple elements in each of these blocks or phases, but generally the approach is the same.


With pre-assessment and planning, you need to think about the desired outcome (i.e., identify the risks to the facility) and identify the necessary actions to mitigate or eliminate the risks and associated vulnerabilities. 

The flow chart above is a detailed view of this phase and includes collecting and digesting documents, identifying the team members and the necessary skill sets, and getting ready for travel. Of course, contacting the "customer" and setting up the necessary on-site logistics are important.

On-site Activities

Now comes the fun part: Getting on-site and looking for threats and vulnerabilities.

Don't forget these threats and vulnerabilities can be cyber or physical. They can also be part of the site management and culture. What about training or lack thereof? They can all contribute to the risk profile of the facility.

The graphic above offers some elements of the on-site activities. You can see that we have inspections, observations, taking photographs, and looking at the site network and architecture. Even a cyber-vulnerability scan may be part of the site assessment.

These activities are intended to be part of the site assessment plan. However, don't let the plan place barriers on your site risk reviews. Feel free to follow leads and evidence of problems, since that is why you are on-site rather than doing a remote risk assessment via Zoom.


Just like the phrase says, the work isn't complete until the paperwork is done! In fact, this is very important in order to help your customer — that is the manager of the facility you just inspected — to understand their threat profile, understand what they need to fix, and understand what needs to be mitigated first (that is, categorized risks).

The reporting phase is more than just regurgitating what you found at the site but really understanding the weaknesses identified and identifying how they can become findings, which may include merging some weaknesses. The findings are then built into the report with recommendations for mitigation.

Of note, the report should delineate what each finding is relative to the risks identified. I usually use the following categories: critical, high, medium, low, and observational risks (basically a concern — like housekeeping — that is not in scope for the risk assessment).

Yes, this flow chart does appear elementary — almost too elementary — but it is intended to be the structure to help the risk assessors attack a large facility and determine the threats, vulnerabilities, and ultimate risks. And while not particularly easy, risk assessments are a necessity for our complex facilities and organizations.

Ernie Hayden, MIPM, CISSP, CEH, GICSP (Gold), PSP, is the author of Reworking the Taxonomy for Richer Risk Assessments, as well as a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader. He brings extensive experience in the ...
View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-26
ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
PUBLISHED: 2020-11-26
slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
PUBLISHED: 2020-11-26
Cloudera Data Engineering (CDE) before 1.1 was vulnerable to a CSRF attack.
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
PUBLISHED: 2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.