A Simple Security Risk Assessment

June 2, 2009

Many security practitioners (and others) struggle to understand the environment they are working in and find it difficult to prioritise what needs to be done.  To help, I’m going to share a series of articles that demonstrate an approach to completing A Simple Security Risk Assessment, an approach that takes into consideration both technical and business risk.  The series comprises of:

1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk

Posted by awrobinson
Filed in Management System
Tags: , , , ,
4 Comments »

4 Responses to “A Simple Security Risk Assessment”

  1. Industry Standard Risk Methodologies « Information and Technology Security Says:

    June 2, 2009 at 12:53 am

    [...] A Simple Security Risk Assessment, the STRIDE/DREAD approach of categorising technical risk is recommended, rather than thoroughly [...]

    Reply
  2. Assessing Technical Risk « Information and Technology Security Says:

    June 2, 2009 at 12:56 am

    [...] 2, 2009 Technical risk for the purposes of A Simple Security Risk Assessment refers to the probability that an attacker will exploit a vulnerability in the software related to [...]

    Reply
  3. Assessing Business Risk « Information and Technology Security Says:

    June 2, 2009 at 1:01 am

    [...] 2, 2009 Business risk for the purposes of A Simple Security Risk Assessment is the input provided by Business Unit which incorporates the value and criticality of the [...]

    Reply
  4. Calculating Overall Risk « Information and Technology Security Says:

    June 2, 2009 at 1:09 am

    [...] the sum of both Technical and Business risk.  If you follow a similar process to that described by A Simple Security Risk Assessment, you should end up with a Technical risk value for each configuration item examined, and a Business [...]

    Reply

Leave a Reply