ABSTRACT
It’s about contextual risk. – Anurag Agrawal, in conversation with the author, 2014
The success of the assessment depends greatly upon the assessor’s ability to calculate or rate the risk of the system. There is the risk of the system as it’s planned at the moment of the assessment. And there’s the risk of each attack vector to the security posture of the system. Most importantly, the risk from the system to the organization must be determined in some manner. If computer security risk cannot be calculated in a reasonable fashion and consistently over time, not only does any particular assessment fail, but the entire assessment program fails. An ability to understand, to interpret, and, ultimately, to deliver risk ratings is an essential task of the architecture risk assessment (ARA) and threat modeling.
