Risk Assessment

Security services can be highly valuable for many organisations, but the decision to purchase security services, and how much to invest in them, is a strategic choice that should be grounded in cost-benefit analysis. When you purchase a lock for a shed, you intuitively make such an analysis - you weigh the low cost of the padlock against the much higher cost of losing items in the shed, along with the probability of theft. In the world of cybersecurity, estimating security costs, potential losses, and real risk of attack is more complex and can benefit from a dedicated strategic analysis. One of the services Shellhex can offer is an in-depth assessment of the risks your organisation faces, and the value of potential remediations. Our goal is not to predict the future with certainty, but to provide a structured framework for prioritising security investment based on the best information available.

Risk Assessment Methodology

Our approach to risk assessment is based on three core factors:

  • How much would different kinds of attacks cost your organisation?
  • How likely are different kinds of attacks?
  • How much would defence against different attack vectors cost?

Based on these three pieces of information, we can estimate the likely return on investment of different security remediations. This allows organisations to prioritise the security investments likely to provide the greatest reduction in risk for a given investment.

The difficulty, of course, lies in assessing each of the three terms of the equation - the real cost of attacks, the probability of attacks, and the difficulty of preventing an attack. These depend on both the details of your organisation and on technical knowledge of the mechanics of real-world threats. Our Risk Assessment service offers an opportunity for us to collaborate with your organisation to estimate those values, combining our technical understanding of how real-world attacks occur with your knowledge of the details of your organisation.

Risk Assessment Deliverables

A typical risk assessment engagement includes:

  • Interviews with key stakeholders.
  • Analysis of organisational processes and systems.
  • Identification of significant threat scenarios.
  • Estimates of likelihood and business impact.
  • Prioritised remediation recommendations.
  • A written report summarising findings.
  • An optional presentation to leadership.

We aim for our deliverables to be optimised for real strategic guidance that is intelligible to decision-makers without domain knowledge of security. Our analyses are based around established quantitative methodologies in the security industry.

Determining Security ROI Factors

How can we determine the factors that go into our risk assessment? There are many questions that are simple to answer, yet highly informative about your business's real threat landscape. We offer some examples here.

  • What kind of data does your organisation store? What could be released in a data breach?
  • What legal liabilities would your organisation face if subject to an attack?
  • How much of your organisation's operations-critical information lacks robust backups? What effect would losing access to it have?
  • How much redundancy do your systems possess? If all your systems went down, what would happen?
  • What is your financial situation? How much would a given number of days of lost business cost you?
  • How much competition does your business face? Could customers easily switch to an alternative provider?
  • How trust-dependent is your enterprise? What would permanent reputational damage do to your business?

Risk Assessment Pricing

Standard Risk Assessments

We offer our Risk Assessments at a flat fee of £450. This consists of a workshop with your organisation where we will gather the relevant information needed to inform our assessment, followed by us drafting and sending you a deliverable as described above, along with an optional follow-up meeting to discuss the findings. If you subsequently commission any of our security testing engagements within 90 days, the £450 cost of the Risk Assessment service will be credited against that engagement - that is, you will receive a £450 discount on the first such service you purchase within 90 days of your Risk Assessment service.

Comprehensive Strategic Assessments

Organisations who need a deeper understanding of their risks, with potentially multiple workshops and a more detailed, data-driven risk assessment methodology may wish for a more comprehensive risk assessment. These offerings may include multiple stakeholder workshops, more detailed modelling of threat scenarios, analysis of organisational dependencies, and a more extensive written report. For such organisations, we offer more in-depth risk assessments for a price of £1,500-£3,000. We still offer a £450 discount on the first security testing engagement you purchase in the next 90 days.