--Originally published at Computer and Information Security
Risk is the probability or threat of damage that is caused by external or internal vulnerabilities. Risk management is done to assess risk and take action to reduce it to an acceptable level. It is important to recognize that computers can’t be fully secured, there is always risk. That is the reason risk management is important. Risk management is made up of two components: risk assessment and risk mitigation.
In this post we will focus on risk assessment methodologies. Risk assessment is the process of analyzing and interpreting risk. It consists of three main activities:
- Determining the scope and methodology.
- Collecting and analyzing data.
- Interpreting the results.
The first activity of risk assessment includes selecting the methodology that will be used. These methodologies are:
- Asset Audit: Consists of looking at the assets of the organization and determine if there are being protected adequately.
- Pipeline Model: Risks are assessed on a pipeline, which is responsible for processing a certain type of transaction. Each pipeline is reviewed to determine if the security requirements are met.
- Attack Trees: Describes the security of systems based on who, when, how, why and with what probability an attack could happen. The root node represents the goal of the attacker and the branches and leaf nodes show the ways of attaining the goal.
We need to realize that no single method is best for all users and environments. How the scope and methodology are defined impact the amount of effort spent on risk management and how useful the assessment is.
Made in collaboration with Salvador.
Picture by: Lindley White https://thenounproject.com/term/warning/8148/
