RED INTO GREEN Risk Assessment Methodology
The RED INTO GREEN application has a built-in proprietary methodology and realistically assesses risk using an approach to risk management based on the organization’s assets (Asset Based Approach).
A solid risk assessment methodology – what is it?
A solid risk assessment methodology gives an organization the ability to identify potential threats, assess their impact and probability of occurrence. According to this information, the organization should adjust its activities, procedures and resources to effectively manage risk. In other words, this is the principle of Risk Based Approach.
For the effectiveness of risk management, it is important to choose the right approach based on assets. This approach is currently required by DORA, NIS2 and GDPR. Why?
Assets – the basis for risk assessment
Firstly, threats materialize on assets.
Secondly, assets can be assigned a value. Without calculating the probability of threats occurring on assets and referring to their use in processes, and then in products/services, it is impossible to determine exactly what the consequences and costs of a threat occurring in your organization will be.
Thirdly, asset-based risk assessment allows to take into account in one system their significance for various risk areas: business continuity, information security, personal data protection, which enables much more efficient and effective risk management.
One risk assessment methodology for NIS2, DORA and GDPR
Many organizations have begun implementing risk management with the entry into force of GDPR. Today, in addition to GDPR, it is also necessary to adapt to the broader requirements of NIS2. Similarly with DORA, which is a “lex specialis” in relation to NIS2. Already at the GDPR stage, the EU began to enforce the implementation of an effective risk assessment, which should concern both the probability of threats (P) and the severity of their consequences (impact, we denote I). So risk is R=I*P.
Currently, within DORA, the EU requires, among others, a methodology that focuses on the value and criticality of information and support assets held (e.g. Art. 5 RTS JC 2023 86) and the impact of their loss of security attributes (confidentiality, integrity, availability, authenticity) on the organization’s business functions. For this reason, the use of the RED INTO GREEN methodology with its asset approach is the fulfillment of EU requirements in this area.
Supporting assets in risk assessment
Supporting assets are all data and information media and the elements that affect them. This could be a computer, telephone, documentation, monitoring systems, specialised software or even a backup power source.
In the RED INTO GREEN methodology, we focus risk analysis on supporting assets because they play a supporting role in relation to the main assets (information and business processes) and act as an intermediary between the main assets and threats that may affect them (e.g., server infection may result in unauthorized access to data).
How does the RED INTO GREEN methodology work?
Risk assessment structure
The basic risk assessment formula R=I*P, where risk is understood as the product of the estimated impact level (I) and the estimated probability of threat materialization (P).
Threat materialization means that a given threat has materialized in the context of a supporting asset (e.g. a server) and has caused harmful consequences for the main assets it supports. This may include data confidentiality breach, data loss, blocking of access to resources, or other forms of damage.
Probability estimation
This involves taking on different scenarios, where the context of interdependencies with security and vulnerabilities is important.
To assess probability, we must first identify what threats may affect particular supporting assets of the organization. As a probability assessment point, we take a single combination of threat + supporting asset.
Initial probability
In the RED INTO GREEN risk assessment methodology, we estimate the probability that takes into account the initial probability (IP) of a given threat occurring in relation to the supporting asset, otherwise known as the default or inherent probability, and secondarily the context of interdependence with security and vulnerabilities. We denote the context of interdependence – M, because it modifies the probability. Therefore, the probability estimation is simplified according to the formula P=IP+M.
Risk analysis in different risk management domains
The RED INTO GREEN methodology based on supporting assets enables risk analysis for the entire organization and in individual domains:
- Personal Data Protection (PDP)
- Information Security (IS)
- Business Continuity (CB)
In addition to supporting assets in each domain, the PDP analyzes processing activities and information assets, BI analyzes information assets, and CB analyzes processes, products, and services.
Do you want to know how the RED INTO GREEN system can help you?
Schedule a meeting with an advisor.
