There are many sources available (both text and online) which can provide a detailed description of what Risk Assessment is and how to conduct one. While it is beyond the scope of this book to cover Risk Assessment understanding the difference between Security Assessment and Risk Assessment is important for information security. Therefore, a brief comparison of the two types is presented here.
Though their objective is the same (i.e., protecting information) Security Assessments differ from Risk Assessments in what is evaluated and how.
A Security Assessment or Analysis evaluates requirements, relative to a security control or control family1 used to protect the Confidentiality, Integrity and Availability (CIA) of information. Once a solution for a security control is implemented the requirement is said to be satisfied.
For example, a control requirement may be:
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
Using role-based access might be one type of control which satisfies the requirement.
Security Assessments are often used to evaluate the overall security posture of an organization’s information security program. Areas-of-concern can then be evaluated further for relative risk with appropriate steps taken to correct or mitigate identified problems. As with Risk Assessments, Security Assessments can be quantified in order to determine the strength of applied security as well as identifying weaknesses.
A Risk Assessment or Analysis identifies 1) threats to a system; 2) determines vulnerabilities (or weaknesses) a system possesses relative to the threat; and 3) evaluates the likelihood of the threat occurring and its impact on the system. Risk assessments are often, though not always, quantified in order to provide the degree or level2 of risk. The basic formula for calculating risk is:
L(ikelihood3) x I(mpact) = R(isk)
Example Scenario: a small Datacenter [system] has no Uninterruptible Power Supply (UPS) [vulnerability or weakness] and is located in an area with a history of severe weather induced power outages [threat].
Given this information the likelihood of the threat (severe weather) occurring is evaluated as Low, Medium or High. The impact of the threat on a known vulnerability/weakness is then evaluated (Low, Medium or High). Using the L x I = R formula and substituting numeric values 1, 2 and 3 for Low, Medium and High labels a risk assessment might look like:
- Threat = Severe Weather Power outage
- Vulnerability/Weakness = No UPS
- Likelihood (it is likely, given history, that severe weather will occur) = 3
Impact (a power outage would disrupt Datacenter operations (no power) = 3
Likelihood x Impact (3 x 3) = 9 (out of a possible 9).
Therefore, based on risk assessment the lack of UPS is a risk requiring mitigation.
Summarizing, Security Assessments evaluate overall system security whereas Risk Assessment determines risk based on Threat, Vulnerability (i.e., weakness) and Impact.
 NIST Control Catalog (SP.800-53r5) categorizes groups of security controls into Families. Examples of Control Families include Access Control and Configuration Management.
 Degree or level of risk depends on the risk assessment model used. Some models use simple Low, Medium and High labels with numeric values of 1, 2 and 3 whereas other models are more granulated (i.e., labels of Low, Low-Medium, Medium, Medium-High, High) with corresponding granulation for numeric values (1-5 or 1-10). There is no right solution and which numeric value(s) to use depends on the needs of the evaluator.
 The term ‘probability’ is sometimes used instead of Likelihood but both (essentially) have the same meaning.