Types of Risk Assessment

  1. Qualitative
    • The financial officer’s estimate that password scanning attacks are highly probable.
    • The IT manager’s opinion on what impact a flood would have on the server room.
  2. Quantitative
    • The cost to the company for being offline for one day / it’s servers being offline for one day.
    • The expected, total number of DDoS attacks per year

Risk assessment process

  • Threat identification is the review of technical and technical events that may damage a system
  • System characterization is the review of system and data criticality and sensitivity
  • Control analysis is the review of current and planned countermeasures against security requirements checklists.
  • Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.


The four phases of PUSH are:

  • Preparation
    Defining audience and purpose of risk assessment.
  • Universe definition
    identifying and characterizing most critical assets, risks and controls.
  • Scoring
    choosing consistent scales to rate importance of assets, impact of risk and the effectiveness of controls.
  • Hitting the mark
    ensure risk assesment fulfils the purpose set out in the planning phase.

Risk Assessment Methodolgies

  • OCTAVE is a self-directed, interdisciplinary team, focusing on operational risk and security practices, performing risk analysis.
  • FRAP is a qualitative risk analysis approach that uses pre-screening to identify critical risk areas.
  • NIST is a qualitative risk assessment methodology established with healthcare in mind.
  • Failure modes and effect analysis” assess risk by examining the effects of failures on three levels.
  • CRAMM is an IT risk analysis method used in the British Government.

Methodological Frameworks

  • ISO 27000 is a series of of standards to manage information security
  • ITIL is comprised of a series of books aiming to improve IT service management and IT processes
  • COSO is a framework for financial reporting and disclosure
  • COBIT is a four domain model for IT governance and has 214 control objectives