Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Ernie Hayden
Ernie Hayden
Connect Directly
E-Mail vvv

Reworking the Taxonomy for Richer Risk Assessments

By accommodating unique requirements and conditions at different sites, security pros can dig deeper get a clearer sense of organizational risk.

For many years, I have been performing risk assessments of multiple large facilities. These risk assessments have ranged from major power plants to large substations to oil/gas pipelines to oil sands facilities to multistory office buildings. One thing I began to realize over the years is that each risk assessment had its own nuances; however, the approach I took was generally the same.

The assessments are generally conducted following three phases: pre-assessment/planning, on-site risk assessment, and reporting.

Related Content:

Key Considerations & Best Practices for Establishing a Secure Remote Workforce

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: An Uncommon 20 Years of Commonly Enumerating Vulns

Admittedly, this looks rather simple. There are multiple elements in each of these blocks or phases, but generally the approach is the same.


With pre-assessment and planning, you need to think about the desired outcome (i.e., identify the risks to the facility) and identify the necessary actions to mitigate or eliminate the risks and associated vulnerabilities. 

The flow chart above is a detailed view of this phase and includes collecting and digesting documents, identifying the team members and the necessary skill sets, and getting ready for travel. Of course, contacting the "customer" and setting up the necessary on-site logistics are important.

On-site Activities

Now comes the fun part: Getting on-site and looking for threats and vulnerabilities.

Don't forget these threats and vulnerabilities can be cyber or physical. They can also be part of the site management and culture. What about training or lack thereof? They can all contribute to the risk profile of the facility.

The graphic above offers some elements of the on-site activities. You can see that we have inspections, observations, taking photographs, and looking at the site network and architecture. Even a cyber-vulnerability scan may be part of the site assessment.

These activities are intended to be part of the site assessment plan. However, don't let the plan place barriers on your site risk reviews. Feel free to follow leads and evidence of problems, since that is why you are on-site rather than doing a remote risk assessment via Zoom.


Just like the phrase says, the work isn't complete until the paperwork is done! In fact, this is very important in order to help your customer — that is the manager of the facility you just inspected — to understand their threat profile, understand what they need to fix, and understand what needs to be mitigated first (that is, categorized risks).

The reporting phase is more than just regurgitating what you found at the site but really understanding the weaknesses identified and identifying how they can become findings, which may include merging some weaknesses. The findings are then built into the report with recommendations for mitigation.

Of note, the report should delineate what each finding is relative to the risks identified. I usually use the following categories: critical, high, medium, low, and observational risks (basically a concern — like housekeeping — that is not in scope for the risk assessment).

Yes, this flow chart does appear elementary — almost too elementary — but it is intended to be the structure to help the risk assessors attack a large facility and determine the threats, vulnerabilities, and ultimate risks. And while not particularly easy, risk assessments are a necessity for our complex facilities and organizations.

Ernie Hayden, MIPM, CISSP, CEH, GICSP (Gold), PSP, is the author of Reworking the Taxonomy for Richer Risk Assessments, as well as a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader. He brings extensive experience in the ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...
PUBLISHED: 2021-03-02
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing...
PUBLISHED: 2021-03-02
matrix-react-sdk is an npm package which is a Matrix SDK for React Javascript. In matrix-react-sdk before version 3.15.0, the user content sandbox can be abused to trick users into opening unexpected documents. The content is opened with a `blob` origin that cannot access Matrix user data, so messag...
PUBLISHED: 2021-03-02
Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint. The fixed version is FTA_9_12_444 and later.
PUBLISHED: 2021-03-02
A buffer overflow vulnerability in the AT command interface of Gigaset DX600A v41.00-175 devices allows remote attackers to force a device reboot by sending relatively long AT commands.