Business Impact Assessments, Vulnerability Assessments, Penetration Tests, and Risk Assessments

time lapse photography of water drop

Define Business Impact Assessment, Vulnerability Assessment, Penetration Test, and Risk Assessment.  Please put these definitions in your own words rather than copying them from a source.

In my opinion, a Business Impact Assessment is the process of prioritizing identified threats in the manner in which they would impact a business. For example, a found high-risk threat, such as a breach into a specific database, can not have much of an impact on the business if that database contains older, outdated information. Even the most robust and sophisticated risk assessment fails to offer anything beneficial if one doesn’t understand what each threat brings to the table in the real world.

A Vulnerability Assessment would be a vulnerability calculation process (using quantitative procedures) in the goal of determining exploitable weakness for a defined threat. A vulnerability assessment is utilized in assessing the effectiveness of existing cybersecurity procedures, policies, personnel, and hardware/software against the always-expanding world of cybercrime.

A Penetration Test, explained in my words, would be applying the same tactics used by cybercriminals in attempting to penetrate an organization’s security layers in the goal of learning how to stop these would-be attackers. Penetration tests offer a glimpse into the minds of those we defend against, exposing their possible targeted weak points in the systems we guard, providing us the ability to close identified gaps in security.

A Risk Assessment is, simply put, an assessment of an organization’s risk to various attacks, unexpected data loss instances, etc. Risk assessments are typically used for identifying the risks on a specific project, service, hardware/software, or task. For example, if you are in the process of implementing a new cloud-based email platform for your organization, one would want to perform a detailed risk assessment to figure out what could go wrong and what will go wrong, to further determine the budget, time, and resources needed to complete the install.

What are the differences and similarities between them?

As each definition is somewhat similar, it can be confusing figuring out which type of test/assessment is ideal for a specific situation. While each term and definition basically provides the same benefit of increased security, there are certainly differences between them. A business impact assessment is more of a big picture task of applying the identified risks found in a vulnerability/risk assessment or a penetration test to the operations of the business. A penetration test differs from the rest of the terms due to it being an actual attempted entry of a specified target, which then provides the necessary data for the vulnerability, risk, and business impact assessments.

When would you use each?

In actuality, each of the above terms and definitions should be utilized in any IT-related project or task, but the timing of when to perform each of them is vital. For example, a penetration test, armed with a robust vulnerability assessment, provides the person who is attempting to bypass the organization’s security some form of a target and commonly used attack vectors. On the other hand, after a penetration test is performed, the found gaps in security can be applied to the risk assessment’s data to further develop the found risk’s threat level (thus providing the necessary data for the business impact assessment).

Which one(s) have you used?

As an IT manager in a small, growing business, I have been tasked with several projects ranging from implementing new VoIP phone systems to CRM (ticketing) programs. In all of my endeavors, whether complicated or minuscule, I always perform some form of a penetration test and vulnerability, risk, and business impact assessments; I find that accomplishing this step is essential in the early stages of any project. With the tasks mentioned above, I can effectively communicate with management the possible risks of the project, what can be done to minimize or mitigate them, and how they could possibly affect the business as a whole.


What is Penetration Testing: Step-By-Step Process & Methods: Imperva. (2019, December 29). Retrieved September 08, 2020, from

Wheeler, E. (2011). Security risk management: Building an information security risk management program from the ground up. Waltham, MA: Syngress

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s