Enterprise Network Risk Assessment

PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free

Enterprise Network Risk Assessment

by James G. Barr

Docid: 00021179

Publication Date: 2009

Report Type: TUTORIAL


Computer networks
are the conduits through which modern commerce is conducted. Unfortunately, enterprise networks are vulnerable to attack, and
protecting them has become a major concern. To understand the nature and severity of the
threat, an enterprise may commission a network risk assessment – a
comprehensive analysis of network infrastructure and operations with the
purpose of identifying and mitigating risks to
network integrity and availability.

Report Contents:

Executive Summary

[return to top of this report]

Computer networks – both data and voice – are the conduits through
which modern commerce is conducted. They enable the essential
information flows that power finance, production, sales, and virtually
all enterprise business functions. 

Faulkner Reports
Network Security Best Practices
Penetration Testing and Ethical Hacking Tutorial
Conducting an Information Security Gap Analysis

As such, computer networks are a vital enterprise asset that must be
protected from unauthorized access and manipulation. With the widespread
adoption of the Internet in the 1990s – an indispensable vehicle for e-commerce
and economical supply chain operations – enterprise networks, which were
formally private, have gone public. While generally beneficial for
business, this public exposure has produced a new and virulent form of
criminality in which non-enterprise (or non-enterprise-affiliated) actors like
"hackers," members of organized crime, or even nation-states like China
and Russia exploit their Internet connections to deposit computer viruses and
other forms of "malware" on enterprise devices and, ultimately, enterprise

While the motivation for these attacks varies – from electronic
graffiti to corporate espionage to the theft of confidential customer
information to "hacktivisim" (in which hackers seek to disrupt enterprise
operations for political purposes) – the simple fact is that enterprise networks
are vulnerable, and protecting enterprise networks has become a major – in some
cases, principal – concern among enterprise security officials and the
executives they serve.

Although a number of network security technologies have emerged over the past
two decades (anti-virus applications, content filtering software, network
firewalls, and intrusion prevention systems, among others) network attacks continue and, in
certain instances, have intensified. To help ensure that enterprise
networks are as safe and secure as they can be, enterprise security departments are conducting more
frequent and more intensive network risk assessments.

Put simply, an enterprise network risk assessment is a comprehensive analysis of network
infrastructure and operations with the purpose of identifying and, ultimately,
mitigating any risks to network integrity and availability.

A Routine Exercise

Similar to an enterprise business continuity assessment, called a business
impact analysis (BIA), an enterprise network risk assessment should be conducted
on a regular basis, or on the occasion of a major business or organizational

In this latter category, for example, consider that the COVID-19 pandemic has
greatly expanded the enterprise network map to include hundreds – even thousands
– of home offices, with most connected to enterprise assets over unsecured
public cable or Wi-Fi networks. As a consequence, an enterprise’s post-COVID-19
network should be repeatedly assessed for its security and reliability.

The Core Steps

According to analyst Michelle Wu, most enterprise network risk assessments
follow the same basic steps:

Step 1 – Conduct an enterprise asset inventory – Document the entire
IT infrastructure.

Step 2 – Assess the vulnerability of all enterprise assets – This step
includes (but is not limited to):

  • "A comprehensive scan of all … [network] ports and other vectors;
  • "An assessment of … internal weaknesses;
  • "A scan of Wi-Fi, Internet of Things, and other wireless networks;
  • "A review of third parties’ access to … networks and assets; and
  • "A review of policies around employee behavior, like bringing in rogue
    devices or opening suspicious e-mails."

Step 3 – Test all enterprise defenses – Commissioning one or more
"penetration tests" is the preferred approach.

Step 4 – Shore up any weak spots – Develop and execute remediation plans as necessary.

Step 5 – Continuously monitor enterprise network security – Be
prepared to combat emerging and evolving cyber threats.1


[return to top of this report]

More than a matter of good enterprise policy, some US security and privacy
statutes, including the Health Insurance
Portability and Accountability Act (HIPAA), compel effected enterprises to perform
regularly scheduled network risk assessments.

An enterprise network risk assessment is defined by three key elements:

  • The Organizational Risk Frame (or Frame), which describes the risk
    assessment methodology.
  • The Process, which describes the risk assessment flow.
  • The Techniques, which describes the risk assessment measures.

The Frame

As observed by the US National Institute of Standards and Technology, organizations
can use a single risk assessment methodology or can employ multiple assessment
methodologies, with the selection of a specific methodology depending on, for

  • The time frame for investment planning or for planning
    policy changes.
  • The complexity/maturity of organizational
    mission/business processes (by enterprise architecture segments).
  • The
    phase of the information systems in the system development life cycle.
  • The criticality/sensitivity of the information and information systems
    supporting the core organizational missions/business functions.

By making
explicit the risk model, the assessment approach, and the analysis approach employed
– collectively, the organizational risk frame – organizations can increase the
reproducibility and repeatability of risk assessments.

Figure 1 illustrates the fundamental components in organizational risk
frames and the relationships among those components.2

Figure 1. Organizational Risk Frame

Figure 1. Organizational Risk Frame

Source: NIST

The Process

While there is no generally accepted formula for assessing
network risk, Figure 2 illustrates one possible approach.

Figure 2. Enterprise Network Risk Assessment Process Flow

Figure 2. Enterprise Network Risk Assessment Process Flow

Network Actor – The process begins when the Risk Assessment Team
– assessment is a multi-player process – identifies each
network "actor".3 An actor is an individual or organization
intent on penetrating the enterprise network. In a commercial
environment, the actor may be a:

  • Hacker
  • Disgruntled former employee
  • Business competitor
  • Identity thief; or, most disappointingly
  • A current employee, customer, or supply chain partner

In a government, especially national security, environment, the list
expands to include foreign spies and terrorists.

Network Attack – Once an actor has been identified, the Risk Assessment Team determines
which type of attack the actor is likely to launch. A business
competitor, for example, may launch a distributed denial of service (DDoS)
attack, designed to disrupt enterprise operations and provide the actor’s
company with a competitive advantage.

Likelihood of Attack – Once an attack type has been identified, the Risk Assessment Team
determines the likelihood that such an attack will be launched. Likelihood depends on several factors, principally the ease of launch and
the "likelihood" of being detected. Historical data offers
the best measure of likelihood. Has this type of attack been
launched before, and with what frequency?

Severity of Attack – Once the Risk Assessment Team has determined the likelihood of an attack, they will determine – or rather estimate – its severity. For
example, the impact of a DDoS attack on a "plain", i.e.,
non-commercial, website is probably low. Conversely, the impact on a
retail, i.e., e-commerce, website is probably high, maybe even
extraordinarily high.

Risk of Attack – Once the Risk Assessment Team determines the
likelihood of an attack and its severity, they can then proceed to
estimate the overall risk of attack, as depicted in Figure 3.

Figure 3. Risk Quadrants

Figure 3. Risk Quadrants

Existing Attack Countermeasures – Once the Risk
Assessment Team has determined the risk of attack, the Team will examine
the existing attack countermeasures and determine whether such measures
are sufficient. Again, historical data plays a vital role. Have the
presently deployed countermeasures been effective in preventing – or, at
least, mitigating – network attacks?

Required Attack Countermeasures
– Finally, the Risk Assessment Team will determine which – if any –
additional countermeasures are required to provide adequate
security. They will report their findings and recommendations to the
enterprise chief security officer (CSO) for follow-up action.

Importantly, this Enterprise Network Risk Assessment process is
iterative, meaning the process repeats for each actor and for each attack
associated with each actor. The number of iterations may be
expressed mathematically as follows:

Iterations = Attacks1
+ Attacks2 + Attacks3 + … + Attacksn

where Attackn is the number of attacks
associated with Actor n.

The Techniques

The Risk Assessment Team often relies on a set of "tried-and-true" techniques for
evaluating the effectiveness of existing security policies, practices, and
countermeasures. Two of the more popular and effective techniques are penetration testing and social

Penetration Testing

Penetration testing is security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of a network. It often involves launching real attacks on real networks and data that use tools and techniques commonly used by attackers. Most penetration tests involve looking for combinations of vulnerabilities that can be used to gain more access than could be achieved through a single vulnerability. Penetration testing can also be useful for determining:

  • How well the network tolerates real world-style attack patterns.
  • The likely level of sophistication an attacker needs to successfully
    compromise the network.
  • Additional countermeasures that could mitigate threats against the network.
  • The enterprise’s ability to detect attacks and respond appropriately.

Penetration testing often includes non-technical methods of attack. For example, a penetration tester could breach physical security controls and procedures to connect to a network.4

Social Engineering

Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack
a network. It is used to test user awareness of – and attentiveness to – security, and can reveal weaknesses in user behavior
– such as failing to follow standard security operating procedures.

When employed by network assessors, social engineering can be performed through
a variety of means, including:

  • Analog (e.g., conversations conducted in person or over the telephone)
  • Digital (e.g., e-mail, instant messaging)

For example, one form of digital social engineering is known as phishing,
where assessors (playing the role of would-be attackers) attempt to steal information such as user IDs and passwords. Phishing uses authentic-looking e-mails to request information, or direct users to a bogus Web site to collect information. Other examples of digital social engineering include crafting fraudulent e-mails and sending attachments that could mimic worm activity.

Assessors should produce a detailed report that identifies both successful
and unsuccessful tactics used. This level of detail will help an enterprise to tailor its security awareness training programs.5

Current View

[return to top of this report]

Value Is a Major Determinant of Risk

Computer networks are valuable precisely because they convey valuable
information. The level of network risk is generally commensurate with the value
of information stored or in transit. As described by analyst Curtis
Franklin, the Factor Analysis of Information Risk (FAIR) defines value in terms

  • Criticality – "the impact the
    asset (in this case, information) has on the organization’s productivity."
  • Competitive advantage – "Does
    the [information] allow the organization to do something its competitors
    can’t do, or do something in a way that’s superior to the way the
    competition does it?"
  • Sensitivity – "a measure of how
    much the [information’s] loss will cost the organization." Sensitivity may
    be gauged by embarrassment, the loss of competitive advantage, and/or legal and
    regulatory challenges.6

Risk Assessment Is a Technical, Political and Commercial Process

Once regarded as a purely technical exercise, today’s enterprise planners now
appreciate the political and commercial aspects of conducting a network risk
assessment, and the necessity of coordinating assessment activities with
relevant stakeholders, including enterprise employees, management, business
partners, and even customers (as appropriate). According to NIST, proper coordination helps to
ensure that:

  • Stakeholders are aware of the assessment schedule, activities, and potential
    impacts the assessment may have.
  • The assessment does not take place during upgrades, new technology
    integration, or other times when system security is being altered (e.g.,
    testing occurs during maintenance windows or periods of low utilization).
  • Assessors are provided with required levels of access to the facility and
    systems, as appropriate.
  • Appropriate personnel such as the CIO and CSO are informed of any critical
    high-impact vulnerabilities as soon as they are discovered.

  • Appropriate individuals are informed (e.g., assessors, incident response team, senior management) in the event of an incident. Should this occur, it is recommended that activities cease until the incident is addressed, and the assessors are given approval to resume their activities in accordance with the assessment plan.
    The extent to which assessment activities should be suspended varies based
    on the enterprise and the type of incident, but, in many cases, the only activities suspended are those involving the systems directly involved in the incident.7

One of the fundamental purposes of coordination is to create and cultivate
cooperation to eliminate personnel resistance – especially among security officials who
may fear for their jobs if the assessment uncovers serious vulnerabilities. Except in those instances where such vulnerabilities were known – and
intentionally ignored by the Security Department – no security staffers should face

Also, by keeping the focus on improving security, the Security Department
will be less inclined to implement last-minute – and often temporary – measures
designed to make network security seem robust and reliable when, if fact, the
opposite condition may exist.

ISO Risk Management Standards Are Recommended for Enterprises with Global

The International Organization for Standardization (ISO) offers several
standards germane to enterprise network risk assessment. Principal among these
are ISO 27002 and 27005.8

ISO/IEC 27001:2013: Information technology – Security techniques –
Information security management systems – Requirements

ISO/IEC 27001:2013 (last reviewed and confirmed in 2019) specifies the
requirements for establishing, implementing, maintaining, and continually
improving an information security management system. It also includes
requirements for the assessment and treatment of information security risks
tailored to the needs of the organization. The requirements set out in ISO/IEC
27001:2013 are generic and are intended to be applicable to all organizations,
regardless of type, size, or nature.

ISO/IEC 27005:2018: Information technology – Security techniques –
Information security risk management

ISO/IEC 27005:2018 provides guidelines for information security risk
management. This document supports the general concepts specified in ISO/IEC
27001 and is designed to assist the satisfactory implementation of information
security based on a risk management approach. This document is applicable to all
types of organizations (e.g. commercial enterprises, government agencies,
non-profit organizations) which intend to manage risks that can compromise the
organization’s information security.


[return to top of this report]

"Out-of-Control" Networks

Increasingly, one of the major challenges for enterprise planners is what to
do if the network is not your own. This condition may manifest in two

  1. The enterprise may have ceded network control to a third-party entity –
    a managed security services provider (MSSP).
  2. The enterprise network may connect with other enterprise networks, as,
    for example, to facilitate supply chain operations.

In the case of the MSSP, the enterprise CSO may be reduced to the role of network
risk "advisor." At the very least, the enterprise-MSSP service level
agreement (SLA) should prescribe regular network risk assessments, and the
enterprise CSO should have the opportunity to review – if not necessarily
approve – MSSP risk assessment protocols and procedures.

In a supply chain or other extra-enterprise network environment, the
effected enterprise CSOs should collaborate to develop a single end-to-end
network risk assessment, focusing on how the networks interact during normal
business operations. In fact, it may be prudent to restrict the range of
inter-network communications (even in advance of the assessment) to those data
transfer elements essential to business-to-business (B2B) functioning. A
big part of network security is eliminating extraneous connections.

Cyber Supply Chain

While most network risk assessment activities are focused – quite
properly – on the risks inherent in unauthorized network access,
authorized network access by suppliers and business partners – what
analyst Jon Oltsik calls the "cyber supply chain" – is generally
accorded less scrutiny.

According to Oltsik, "Many CISOs address cyber supply chain risk
with annual IT security ‘audits’ of selected partners. These ‘audits’
usually are based upon some written checklist that some but not all partners
are asked to respond to on an annual basis. Audits are conducted on select partners while some or
even most 3rd parties with network access get a free pass."9 While
the process is imperfect – at the very least, the audits should be conducted
more frequently – enterprise security officials should insist that all cyber
supply chain partners submit, at minimum, to a high-level audit.

Local Conditions

There’s an unfortunate tendency to treat all enterprise networks the same
in most respects, there’s a great commonality in network threats from
enterprise to enterprise. Nonetheless, enterprise planners should
be cognizant of local conditions that might generate new or elevate old
risk factors. These include:

  • Recent employee layoffs or work stoppages, which could induce retaliatory
    network attacks.
  • Bad publicity, which could encourage politically-inspired attacks by
  • The sudden appearance of "cutthroat" competition, which could promote
    "industrial espionage," and which is hard to detect when the purpose of the
    intrusion is pure information gathering.

So You Don’t Think You Have a Problem

How do you convince a skeptical CEO or CFO that a program
of regularly-scheduled network risk assessments is valuable. One method is to
conduct a mini-assessment – an inexpensive, non-intrusive, under-the-radar assessment which, in
many cases, will reveal an embarrassing assortment of network risks –
certainly enough to justify a real, i.e., complete and comprehensive, network risk

This approach, which we might term the "Rapid Assessment Model," might
include the following steps:

  1. Ascertain the existence of "normal" security
    polices, like password protection, and determine if these policies are
  2. Determine whether the Security Department
    applies operating system and other security patches in a timely fashion.
  3. Similarly, determine the frequency with which
    anti-virus signatures are downloaded to enterprise PCs.
  4. Determine whether confidential data stored on
    enterprise laptops in encrypted. Remember, those laptops are end
    points in the enterprise network.
  5. Determine whether network equipment is
    physically secure and free from tampering. This includes remote office
  6. Determine whether security staffers are
    trained in the latest security technologies, like network forensics.
  7. Determine whether non-security personnel have received network security
    awareness training.

Another form of "quick risk assessment," favored by Australian-based
Insane Technologies, features a set of questions aimed at exposing
fundamental risk factors. These questions include:

  1. "[Are your network servers] covered by a manufacturers warranty
    (or 3rd party post manufacturers warranty) which includes the replacement of
    parts, with on-site labor provided by the manufacturer, and a response to
    any support request in 4 hours or less?
  2. "Is someone constantly observing the health of your [network servers],
    looking for possible hardware faults like failing hard drive devices?
  3. "If you came into your office today and found it had been broken in to,
    do you have an offsite backup of all the data you absolutely could not
    continue your business without
    , from yesterday (or at least the day
  4. "[Are your network server], network equipment (network switches,
    modems, routers, firewalls) and backup devices (external hard drives, tape
    devices, etc) connected to a UPS (battery backup) device which can provide
    these systems with at least 10 minutes ‘run time’ in the event of a power
    , and [are your servers] configured to gracefully shut down if
    power does not resume after this time?
  5. "Do you or your IT provider keep up to date
    site documentation on all your computer systems
    , which is stored
    at your business so it can be accessed by either yourself or a computer
    technician quickly in the event of an emergency?"10

Attack Graph

A special tool called an attack graph (see Figure 4) may help network analysts "model how
multiple vulnerabilities may be combined for an attack." In their
paper entitled, "Security Risk Analysis of Enterprise Networks Using
Probabilistic Attack Graphs," analysts Anoop Singhal and Ximming Ou
offer the following example.

Figure 4. Sample Attack Graph

Figure 4. Sample Attack Graph

Source: NIST

"The left side shows a network configuration, and the right side shows the attack graph for compromise of the database server by a malicious workstation user. In the network configuration, the firewall is intended to help protect the internal network. The internal file server offers file transfer (ftp), secure shell (ssh), and remote shell (rsh) services. The internal database server offers ftp and rsh services. The firewall allows ftp, ssh, and rsh traffic from a user workstation to both servers, and blocks all other traffic.

"In the attack graph, attacker exploits are blue ovals, with edges for their preconditions and post conditions. The numbers inside parentheses denote source and destination hosts. Yellow boxes are initial network conditions, and the green triangle is the attacker’s initial capability. Conditions induced by attacker exploits are plain text. The overall attack goal is a red octagon. The figure also shows the direct impact of blocking ssh or rsh traffic (to the fileserver) through the firewall, i.e., preventing certain exploits in the attack graph."11

The Internet of Things

The network universe is constantly expanding, with the "Internet of Things" (IoT)
acting as a principal driver.

A term coined by technologist Kevin Ashton in 1999,12 the
"Internet of Things" refers to efforts designed to extend the dominion of the
Internet from cyber space to the physical world, creating a network of
intelligent devices that form the mechanical equivalent of the body’s central
nervous system. The purpose is twofold:

  1. To gather information about physical processes in order to improve them;
  2. To exercise real-time control over physical processes in order to affect
    greater efficiency and effectiveness.

As an example, the US and other nations are presently engaged in building
so-called "Smart Grids," electric grids that incorporate microprocessors to
record and report information relative to electric utilization – information
that will enable electric providers (and consumers) to regulate and conserve
costly energy resources.

While the potential impact of the Internet of Things is often diminished by
discussion of questionable applications – like smart refrigerators that
inventory their contents and automatically place orders for depleted food stuffs
– the IoT promises to enhance:

  • Manufacturing, through the introduction of smart production equipment
  • Transportation, through intelligent vehicles and traffic control
  • Urban Infrastructure, through community-wide deployment of smart sensors
  • Healthcare, through "body area networks" and assistive systems
  • Emergency Response, through IP-enabled surveillance systems

Critically for network security chiefs, any assessment of network risk must
fully encompass IoT devices.


[return to top of this report]

Confirm Adherence to the 20 Critical Security Controls

Part of performing an enterprise network risk assessment is verifying
enterprise compliance with the so-called "20 Critical Security Controls" (as
identified by security experts from business, government, and academia). These
controls are:

  1. Inventory of authorized and unauthorized devices
  2. Inventory of authorized and unauthorized software
  3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers
  4. Continuous vulnerability assessment and remediation
  5. Malware defenses
  6. Application software security
  7. Wireless access control
  8. Data recovery capability
  9. Security skills assessment and appropriate training to fill gaps
  10. Secure configurations for network devices such as firewalls, routers, and switches
  11. Limitation and control of network ports, protocols, and services
  12. Controlled use of administration privileges
  13. Boundary defense
  14. Maintenance, monitoring, and analysis of audit logs
  15. Controlled access based on the need to know
  16. Account monitoring and control
  17. Data protection
  18. Incident response and management
  19. Secure network engineering
  20. Penetration tests and Red Team exercises13

These controls must be in place to ensure a secure network environment, and a
comprehensive risk assessment should validate the proper functioning of each

Do It NOW!

EY (Ernst & Young) reports that 76 percent of organizations only
increased their security budget after a major cyber attack.14
Obviously, that’s too late.

In pursuing additional funds – and personnel resources – the CSO should
respect enterprise best
financial practices and create a network risk assessment budget, detailing how risk
assessment dollars will be spent, and enabling a rough return on investment (ROI)
calculation, comparing funds allocated to funds saved (through incident
avoidance or mitigation).

Observe NIST Cybersecurity Guidance

Given the critical importance of achieving cybersecurity, NIST has established
six principal risk assessments objectives. An enterprise network
risk assessment should ensure these core cybersecurity objectives are

  • Asset vulnerabilities are identified and documented.

  • Cyber threat intelligence and vulnerability information is
    received from information sharing forums and sources.

  • Threats, both internal and external, are identified and

  • Potential business impacts and likelihoods are identified.

  • Threats, vulnerabilities, likelihoods, and impacts are used
    to determine risk.

  • Risk responses are identified and prioritized.15

Take the Risk Out of Network Risk Assessments

If conducted improperly, a network risk assessment (NRA) can actually
increase enterprise risk. The risk, however, can be largely eliminated by
taking a few precautions:

  • Backup all
    enterprise data before commencing the NRA
    . – This is sound advice
    before introducing any change into the enterprise information technology
  • Once the NRA is
    complete, conduct a post-NRA data and system integrity assessment
    – The purpose of this analysis is to verify that the NRA did not produce any
    unknown or unwelcomed changes to the IT environment. This is a classic
    change management protocol, usually implemented by the enterprise Quality
    Assurance (QA) Department. A critical component of the post-NRA
    assessment is ensuring that all data created in the course of conducting the
    NRA is "cleaned up." There should be no data "residue" that might
    reveal the results of the NRA, nor the techniques employed by the Risk
    Assessment Team, nor, obviously, any sensitive, confidential, or proprietary
    enterprise information.
  • Engage an experienced security consulting firm
    to conduct the NRA
    . – Performing a network risk assessment
    requires specialized knowledge, including up-to-date training in new and
    emerging network technologies, and new and emerging network "threat vectors"
    (how networks, particularly "hardened" networks, are being attacked). Enterprise security analysts may not – indeed, probably will not – be fully
    conversant in the latest assessment techniques. They may also be less
    likely to report revealed exposures – preferring to quietly fix these
    vulnerabilities rather than alert the enterprise to their presence. In
    any event, an enterprise employee should not be asked to critique network
    security when he or she is intimately involved in providing such security. It’s a terrible conflict of interest – one that can be avoided by hiring a
    trusted third-party assessor. Finally, with respect to any
    extra-enterprise assessors, insist on a non-disclosure agreement (NDA).

Lobby Legislators for CDC-Level Research

Rather than enterprise networks becoming more secure, the frequency
and severity of network breaches is escalating, with the effect that
public-sector resources should be sought to address security issues that
affect both private-sector companies and government agencies.
Specifically, enterprise officials should petition the US Congress to
establish an institution similar to the Centers for Disease Control and
Prevention (CDC) that would be dedicated to enterprise network security
research, including, importantly, how to conduct a comprehensive
enterprise network security assessment.

Potential areas of investigation might include:

  • How to rationalize data generated by multiple security mechanisms, such
    as anti-virus software, firewalls, and intrusion prevention systems.16
  • How to enlist cyber supply chain partners in real-time risk assessment
  • How to maintain risk assessment momentum once an initial enterprise
    network risk assessment has been performed. After all, risk
    management, like business continuity, is an on-going responsibility.
  • How to affect network security in a world increasingly dominated by
    cloud services and cloud networks.
  • How to manage emerging threats, like IoT


1 Michelle Wu. "Network Security Assessments: What They Are And
Why You Need Them." SecurityScorecard. December 20, 2019.

2 Joint
Task Force Transportation Initiative. "SP800-30 Revision 1: Guide for
Conducting Risk Assessments." US National Institute of Standards and
Technology. September 2012:7.

3 Bud Whiteman.
"Network Risk Assessment Tool (NRAT)." IAnewsletter, Volume 11,
Number 1, Spring 2008:4-8.

4-5 Karen Scarfone, Murugiah Souppaya, Amanda Cody, and
Angela Orebaugh. "SP800-115: Technical Guide to Information Security
Testing and
Assessment." US National Institute of Standards and Technology. September
2008. pp. 5-1 – 5-7.

6 Curtis Franklin Jr. "7 Steps to Start Your Risk
Assessment." Dark Reading (UBM Tech). October 4, 2018.

7 Karen Scarfone, Murugiah Souppaya, Amanda Cody, and
Angela Orebaugh. "SP800-115: Technical Guide to Information Security testing and
Assessment." US National Institute of Standards and Technology. September
2008. pp. 7-1 – 7-2.

8 Ethan Bresnahan. "3 Templates for a Comprehensive Cybersecurity Risk
Assessment." Security Boulevard | MediaOps Inc. July 20, 2020.

9 Jon Oltsik. "New Services
Can Help Enterprises Assess and Mitigate Risk in the Cyber Supply Chain."
Network World. April 24, 2014.

10 "Give Your Computer Network a Quick Risk Assessment with These
10 Questions!" Insane Technologies. November 10, 2011.

11 Anoop Singhal and Ximming Ou. "NIST Interagency Report 7788:
Security Risk Analysis of Enterprise Networks Using Probabilistic Attack
Graphs." US National Institute of Standards and Technology. August 2011:7.

12 "2013: The Year of the Internet of Things." MIT Technology
. January 4, 2013.

13 Richard P. Lippmann and James F. Riordan. "Threat-Based Risk
Assessment for Enterprise Networks." Lincoln Laboratory Journal, Volume 22,
Number 1. 2016:34-35.

14 Michelle Wu. "Network Security Assessments: What They Are And
Why You Need Them." SecurityScorecard. December 20, 2019.

15 “Framework for Improving Critical Infrastructure
Cybersecurity.” Draft Version 1.1. National Institute of Standards and
Technology. January 10, 2017:29-30.

16 Xin Hu, Ting Wang, Marc Ph. Stoecklin, Douglas L. Schales, Jiyong Jang,
and Reiner Sailer. "Asset Risk Scoring in Enterprise Network with Mutually Reinforced Reputation Propagation."
Xin Hu. 2014.

[return to top of this report]

CERT Coordination Center: http://www.cert.org/
International Organization for Standardization: http://www.iso.org/
SANS Institute: http://www.sans.org/
US National Institute of Standards and Technology: http://www.nist.gov/

About the Author

[return to top of this report]

James G. Barr is a leading business continuity
analyst and business writer with more than 30 years’ IT experience. A member of "Who’s Who in Finance and Industry," Mr. Barr
has designed, developed, and deployed business continuity plans for a
number of Fortune 500 firms. He is the author of several books,
including How to Succeed in Business BY Really Trying, a member
of Faulkner’s Advisory Panel, and a senior editor for Faulkner’s
Security Management Practices
. Mr. Barr can be reached via
e-mail at jgbarr@faulkner.com.

[return to top of this report]