Security Risk Assessment Approaches

There are nearly as many security risk assessment approaches as there are organizations that perform them. It is not the intent of this book to define the best or only approach for performing security risk assessments. This chapter briefly describes some of the differences between currently available approaches to assist in the readers' understanding and to aid in the selection process. All security risk assessment methods are a prescribed process that includes threat analysis, vulnerability analysis, impact analysis, and ultimately a measurement of security risk. The National Institute of Standards and Technology has provided guidance for conducting information security risk assessments for federal information systems and organizations. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is an information security risk evaluation approach created by the Computer Emergency Response Team Coordination Center. The original OCTAVE information security risk assessment method was designed for larger organizations.