Skip to content

Cybersecurity Risk Assessments

Understand How Your Cybersecurity and Information Risk Program Functions Today

Risk assessments are the foundation of a strong cybersecurity strategy, helping organizations identify vulnerabilities before attackers do. They provide a clear view of where your greatest risks lie, allowing you to prioritize resources and defenses effectively. By proactively evaluating threats, you reduce the likelihood of costly breaches and ensure compliance with industry regulations. Risk assessments turn uncertainty into informed action - protecting your data, operations, and reputation.

Talk to an Expert

Cybersecurity and Control Risk Assessments

Cybersecurity assessments are essential tools for understanding and strengthening your organization's security posture. These assessments typically fall into two key categories: (i) cybersecurity risk assessments and (ii) cybersecurity controls assessments. While both are interconnected, each serves a distinct purpose - one identifies what is important to you and where your vulnerabilities lie, and the other evaluates how well your defenses are working. Together, they provide a comprehensive view of your organization's ability to prevent, detect, and respond to cyber threats.

Risk Assessment

A cybersecurity risk assessment focuses on identifying, analyzing, and prioritizing risks that could impact your organization’s information systems and data. It evaluates potential threats, the likelihood of those threats occurring, and the potential impact on your operations. This process helps decision-makers allocate resources effectively, implement targeted safeguards, and ensure compliance with regulatory requirements. A well-executed risk assessment not only highlights where your organization is most vulnerable but also lays the groundwork for strategic planning. Importantly, a complete risk assessment includes a thorough evaluation of your existing security controls to determine their effectiveness in mitigating those risks.

Sign Up Today

A cybersecurity controls assessment dives deeper into the specific safeguards your organization has in place—such as firewalls, access controls, encryption, and monitoring systems. These controls are the mechanisms that protect your systems, data, and users from cyber threats. Understanding the strength, coverage, and performance of these controls is critical to ensuring they align with your risk profile and compliance obligations. Without a clear picture of your controls, it’s impossible to know whether your defenses are adequate or where improvements are needed. This assessment empowers organizations to close security gaps, improve resilience, and demonstrate due diligence to stakeholders and regulators alike.

Assessment Methodology

 

Assessment Methodology

A risk assessment methodology is a structured, repeatable approach used to identify, evaluate, and prioritize risks within an organization. It defines the steps, criteria, tools, and metrics used during the assessment process—such as how threats are identified, how likelihood and impact are measured, and how risk levels are calculated. This methodology acts as the foundation for the entire assessment, ensuring that the process is not only thorough but also aligned with the organization’s objectives, regulatory requirements, and risk tolerance.
Having a clearly defined methodology is essential because it brings consistency, objectivity, and credibility to the risk assessment process. A strong methodology improves the quality of results by reducing bias, ensuring all relevant factors are considered, and enabling more accurate prioritization of risks. It also allows organizations to track progress over time. When the same methodology is used across multiple assessments, businesses can confidently compare results, identify trends, and measure the effectiveness of their security improvements. This consistency is key to making informed, data-driven decisions and demonstrating due diligence to stakeholders, auditors, and regulators.

BorderHawk Methodology

 

The objective of the BorderHawk Methodology is to develop a consistent conclusion regarding the risk to confidentiality, integrity, and availability of information created, received, stored, or transmitted by the organization.

We use the following definitions for confidentiality, availability, and integrity:

  • Confidentiality - the circumstances whereby data or information is made available or disclosed to unauthorized persons or processes.
  • Integrity - the circumstances whereby data or information has not been altered or destroyed in an unauthorized manner.
  • Availability - the circumstances whereby data or information is accessible and usable upon demand by an authorized person.

Based on our collective experience, we utilize a qualitative approach for assessing information risk. The qualitative method uses specific language to describe information risk - an activity or lack of activity associated with information management scored on a scale of 1-10 and described as either a low risk, medium risk, or high risk. We have found this approach to be most effective in rapidly developing corresponding mitigation plans.

Our intent is to maximize results through;

  • Examination of Specific Key Criteria - Key criteria are identified for application of the Information Risk Assessment control and examined for impact to People, Processes, Technology, and Facilities.
  • Determination of Practice - Interviews are structured to gain a complete understanding of current operational practices and to evaluate the familiarity and consistency of application.
  • Results Reporting - Results are reported based on defined criteria and color-coded describing compliance risk associated with each control.

Our methodology employs a probing technique for framing and analyzing the subject matter associated with each area of risk inquiry. The approach is known as IRAC. IRAC is an acronym for Issue - Rule - Analysis - Conclusion.

The process for assessing each Information Security Management Control Area, and its subcomponents, are as follows;

  • Identify the Control purpose, State it as an Issue and then inquire about the organization's efforts within the control area through a series of questions.
  • With reference to the Rule (the pertinent regulation or standard's control requirements), perform an Analysis for compliance of the organization's activities with respect to that rule.
  • Use the Conclusion derived by that analysis to drive understanding risk.

Accordingly, this assessment uses the following collection techniques;

  • Collecting documented policies, processes, procedures, in soft or hard copy, for review.
  • Interviewing knowledge and available staff members.
  • Observing while onsite.
  • Use the Conclusion derived by that analysis to drive understanding risk.

In analyzing each answer, we consider the presence of expected information security management controls;

  • Has the organization implemented a specific control or does some other mitigating factor assist in providing an adequate protective measure?
    • The answer to each of these questions will essentially by a yes or a no.
  • Does the implemented control appear to provide a necessary protective measure (quality)?

The BorderHawk Process

The BorderHawk process for assessments, from document collection, through interviews, to final reporting, takes approximately 6-8 weeks. Our process consists of 10 activities including;

 

1
Scoping

2
Document Collection

3
Initial Interviews

4
Physical Walk-Through

5
Onsite Interviews

6
Analysis

7
Secondary Interviews

8
Reporting

9
Initial Findings Review

10
Final Report Review