ABSTRACT
Risk assessment is the process of discovering and documenting the risks present in an environment. Within a broader context, known as risk management, risk assessment is considered part of the due care an organization applies to the operation of a computerized information system. Using an organized and systematic approach to risk assessment is essential. There are many models proposed and in use to structure the risk assessment effort. This chapter identifies some of the more widely known models and explores a widely used approach.
An approach that has been widely adopted in the information assurance industry is known as the Threat-Vulnerability-Asset (TVA) matrix. In the middle part of this chapter, this model is explored by explaining the processes used to enumerate and characterize assets, discern and evaluate threats against those assets, and identify the active and latent vulnerabilities that are present or likely. Once the three primary dimensions of the TVA model are explained, the chapter continues with an exploration of some of the more salient details regarding asset valuation and threat and vulnerability estimation.
In order to extend the TVA model, the chapter adds the dimension of controls (or counter-measures) to the model; this includes the process of identifying and explaining existing controls, exploring the need for possible additional or enhanced controls, and planning for moving the information security program forward as these possible controls are deployed.
A final section about documenting the results of the risk assessment processl concludes the coverage of the TVA model.
The conclusion of the chapter is a review of literature on the topic of risk assessment and some observations on the directions future research may take.
