Conducted properly, information security risk assessments provide managers with the feedback needed to manage risk through the understanding of threats to corporate assets, determination of current control vulnerabilities, and appropriate safeguards selection. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value. Picking up where its bestselling predecessors left off, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Third Edition gives you detailed instruction on how to conduct a security risk assessment effectively and efficiently, supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting.

The third edition has expanded coverage of essential topics, such as threat analysis, data gathering, risk analysis, and risk assessment methods, and added coverage of new topics essential for current assessment projects (e.g., cloud security, supply chain management, and security risk assessment methods). This handbook walks you through the process of conducting an effective security assessment, and it provides the tools, methods, and up-to-date understanding you need to select the security measures best suited to your organization.

Trusted to assess security for small companies, leading organizations, and government agencies, including the CIA, NSA, and NATO, Douglas J. Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. It includes features on how to

  • Better negotiate the scope and rigor of security assessments
  • Effectively interface with security assessment teams
  • Gain an improved understanding of final report recommendations
  • Deliver insightful comments on draft reports

This edition includes detailed guidance on gathering data and analyzes over 200 administrative, technical, and physical controls using the RIIOT data gathering method; introduces the RIIOT FRAME (risk assessment method), including hundreds of tables, over 70 new diagrams and figures, and over 80 exercises; and provides a detailed analysis of many of the popular security risk assessment methods in use today. The companion website (infosecurityrisk.com) provides downloads for checklists, spreadsheets, figures, and tools.

chapter 1|17 pages


chapter 3|30 pages

Project Definition

chapter 4|28 pages

Security Risk Assessment Preparation

chapter 5|38 pages

Data Gathering

chapter 6|81 pages

Administrative Data Gathering

chapter 7|67 pages

Technical Data Gathering

chapter 8|67 pages

Physical Data Gathering

chapter 9|42 pages

Security Risk Analysis

chapter 10|31 pages

Security Risk Analysis Worked Examples

chapter 11|13 pages

Security Risk Mitigation

chapter 12|10 pages

Security Risk Assessment Reporting

chapter 13|21 pages

Security Risk Assessment Project Management

chapter 14|16 pages

Security Risk Assessment Approaches