A security risk assessment is a thought process. You need a tool that guides you through assessing:
- Value - what is your most important information? You only need as much as security as you have value to protect
- Threats - is there anyone that has the incentives and ability to cause you a problem?
- Weaknesses - what are the weaknesses in your systems, your people and processes that could be exploited? How serious are these?
- Risk - based on all this what is your actual risk? What is the real exposure?
- Controls - how does everything you have spent on security so far help you reduce this risk? If you got rid of a control would it significantly increase the risk? Is it worth investing in new technology, people and process?
This is why I created Simple Security Risk Assessment (SSRA). It is really easy to use and intuitive. It is a structured mapping tool to help you make decisions about security. It will help you comply with PCI-DSS, HIPPA and other regulations that mandates performing a risk assessment. When you have a list of audit findings or penetration testing results, make sense of your priorities and your actual risks using SSRA. Try it out now and let me know what you think.