Risk Analysis FAQs

What is included in the VST risk analysis?

Loptr’s risk analysis starts with basic audit activities: interviews, surveys, observations, and documentation review. This first part is a “control-centered” review of your security program to understand what you are doing and where you have gaps. Then we risk-rate any gaps we identify and we explain how those gaps put you at risk to specific threat scenarios. We provide a dashboard view of risk analysis findings and, finally, we share a remediation planner that you can use to reduce your risk.

How did we build our risk analysis tool?

There is no “standard” tool for doing a risk analysis.* When we created our risk analysis technique, we wanted to 1) provide a more quantitative perspective on risk, 2) consider how layered controls can influence risk, and 3) present risk in terms of real-life threat scenarios.

To those ends, Loptr’s risk analysis technique adapts the Common Vulnerability Scoring System (CVSS) and evaluates defense in depth using a “container” model inspired by OCTAVE Allegro. We added a control weighting approach drawn from Australia’s Department of Defense and threat scenarios driven by a variety of industry breach analyses. We use a control set that aligns with HIPAA requirements and the OCR audit protocol plus other standards and regulations (like PCI DSS, NIST SP 800-53, ISO 27001, and TSP 100) so that we can cross-reference our risk analysis to your compliance requirements, too.

* There are some bad tools. We can point you towards an example if you need one.

What is not in the VST risk analysis?

We don’t mix pen-testing, vulnerability scanning, compliance assessment, and risk analysis.* We will make connections between these but we work hard to help you understand the differences between these related but separate activities.

* Too many people mistake a pen-test or vulnerability scan for a risk analysis.

What’s the different between compliance assessment and risk analysis?

A compliance assessment really only looks at one risk: the risk of not complying. Not complying can be serious. You could face fines and penalties. You could lose business or customers. But there’s a difference between compliance and security. Our compliance assessment helps you understand how well you comply with requirements like HIPAA or PCI DSS. Our risk analysis helps you understand how well you are defending against threats to your data.