An information security risk assessment determines the significance of information and system components and then balances that knowledge with the potential exposure from threats and vulnerabilities. The information security risk assessment is an approach to categorize and be aware of the risks to the discretion, reliability, and accessibility of stored data and the information system itself. Its goal is to ensure the security and confidentiality of stored data and to protect against anticipated threats or hazards which could result in substantial harm or inconvenience.
A risk assessment is a prerequisite to the formation of strategies that guide the institution as it develops, implements, tests, and maintains its information systems security posture. An initial risk assessment may involve a significant one-time effort, but the risk assessment process should be an ongoing part of the information security program.
A strong security program reduces levels of reputation, operational, legal, and strategic risk by limiting the organization's vulnerability to intrusion attempts and maintaining customer confidence and trust in the organization. Security concerns can quickly erode customer confidence and potentially decrease the adoption rate and rate of return on investment for strategically important products or services.