ABSTRACT
The dictionary defines risk as “someone or something that creates or suggests a hazard.” In today’s environment, it is one of the many costs of doing business or providing a service. Information security professionals know and understand that nothing ever runs smoothly for very long. Any manner of internal or external hazard or risk can cause a well-running organization to lose competitive advantage, miss deadlines, or suffer embarrassment. As security professionals, management is looking to us to provide a process that allows for the systematic review of risk, threats, hazards, and concerns and provide costeffective measures to lower risk to an acceptable level.
