How to perform threat-based risk assessments in Wired Relations

Karen Syppli Hansen
September 25, 2023

If you want to work with a threat-based approach to risk assessments, this guide is for you. If, on the other hand, you have not activated the threat-based approach in Wired Relations, then you can ignore it.

Step 1: Identify your critical information assets

Information Assets in this context include systems, vendors, and processing activities among others. A good way to start your risk management is to map the information assets that are relevant to your organisation in Wired Relations. Tip: Use the label feature in Wired Relations to indicate whether the assets are business critical and what types of personal data they process.

Step 2: Create a risk assessment

Go to the Risk Assessment module in the top left corner of Wired Relations and create a new risk assessment. Select the asset for which you want to assess the risk. This could be a system, a processing activity, a vendor etc.

Step 3: Select relevant threats and who it affects

Start by selecting relevant threats from the list or create new ones from your own risk catalog. Choose who the threats affect. You can choose between the "organisation" and/or the "data subject".

Step 4: Assess consequence and likelihood

For each threat, assess the consequence based on the parameters confidentiality, integrity, and availability. You do this for the "data subject" and/or "organisation". You then choose the likelihood of it occurring.

You do this for each threat.

Step 5: Calculate risk

Once you have assessed the consequence and likelihood, you will now be presented with “calculated risk” scores. One score for the risk assessment as a whole and two indicating the level of risk to the organisation and the data subject respectively.

Step 6: Decide if the risk can be accepted

You must now decide whether the risk is acceptable. If the answer is “yes”, you can continue with the current security measures. If the answer is “no”, move on to risk management.

Step 7: Risk management

You choose which security measures you want to implement. You can choose between technical and organisational measures from a catalog or create your own. Create tasks for the organisation to implement these measures.

Step 8: Assess residual risk

Once the security measures are chosen and implemented, reassess the risk. You now assess whether the consequence or likelihood has changed based on the security measures you have chosen.

Step 9: Summarise the risk picture

Wired Relations gives you an overview of the calculated risk for both the organisation and the data subject. You can see if the remaining risk is acceptable and how it has been affected by your security measures.