Risk Assessment Tools

by ryan on February 21, 2017

What should I know about risk assessment tools?


When you try to perform a risk assessment and analysis ( using risk assessment tools), at any level you must be very careful as it is quite a confusing and complex task. Also the process of getting an accurate risk profile is difficult with all the threats and vulnerabilities that need to be evaluated.

Not many organizations adventure in the realm of risk assessment because this is an art and it’s not very different from starting out an application software on your own so it can perform a certain function. The costs of a single and little mistake can have great and costly consequences.

Have you heard the concept of garbage in, garbage out ?

Probably yes, in this area every data that is entered and used in the risk assessment needs to be top quality because you can’t input second hand data and get quality results. We will look at some tools that help us to get an insight on how an automated risk analysis looks.

Before understanding the risk assessment tools, we must first understand what is risk analysis.

In very simple terms, a risk analysis is a process that helps us identify the potential hazards/harms that can happen in a particular process and get the impact that it could deliver.

The primary type of risk analysis processes are quantitative and qualitative:


Let’s just say that in our day’s risk management needs a direct connection to the value of the things that need protection. Everyone wants to know the efficiency and the return on investment is and to find out that, the cost to benefit ratio must be delivered.

Here comes into his role, the quantitative approach ( this is an advanced risk analysis technique ), is used to express only statistical insights to impact and also risk prediction.

3 steps are needed into this operation:

  • The monetary value for the assets must be established
  • Also an estimation of the probability of a thread to occur
  • The resulting return on investment for implementing safe practices in reducing the bad impacts that can be caused by a threat


This is a simpler risk analysis process, one must determine what are the risks that are worth protecting against. You can do this process very easy by answering to 3 simple questions:

  1. Think about what could happen bad
  2. The probability of occurring
  3. The exact impact that it would have

Using these two methods ( risk assessment tools), getting the quantitative and qualitative data is all that it’s needed in order to produce a good risk assessment.

An overview on the 7 tools that have the greatest share and quality on the market:


Even if the companies that provide these tools are quite small ( most of them don’t have more than 20 employees ), they are ruled with an iron fist by an acknowledged expert in this field that knows his stuff, he’s been there, done that.

As a direct result of the HIPAA ( health insurance portability and accountability act ), and let’s not forget the events from 2001 september 11, they are rising in acceptance in the US too ( In Europe, they are widely accepted ).

Lets examine the functions of a risk analysis

If you didn’t know, all of these tools are performing the same functions: they require you to answer some questions like in a questionnaire and you need to provide them with tons of questions about the organization, geography, asset value, etc and in some of the questionnaires there are more than 450 separate questions that will help in producing the risk profile.

Another function that the risk assessment tools provide is that they can determine the risk probability by their importance order. From financial metrics to loss estimates, all these shows the extended area that can be reached by using risk assessment tools. These risk analysis tools must do their job in analyzing the potential for any waste that a dangerous situation can have on the organization

( they also adhere to the accepted risks like ISO, DOD, BS7799, HIPPA ).

In order to have such reach, these risk analysis tools have quite an enormous database of vulnerabilities that are properly aligned to the probability of occurrence.





There are many risk assessment tools out there that can provide you with gorgeous statistical and graphical data and risk analysis tools that provide you with limited amount of information. You must take into consideration this aspect too when you are thinking on what to use.

As a last paragraph, these tools have an easy learning curve, as you can know everything about them in about two or three days from the day you start to use them. Providing that you are helped by the vendor that sells them.

Conclusion on risk assessment tools

If your organization has a commitment to an ifosec program, you should think on acquiring one of these programs as they can make your approach to identifying and managing the risk easier ( also the cost justification comes only from the time that risk analysis tools can save by making the ALE calculation easy ).

Previous post:

Next post: