Information Security Risk Assessments

Information security risk assessment is an integral process in developing an effective information security management system. Unless the organization understand and document the information security status or the information security risk posture, they would not be able to perform risk mitigations.

IT Risk Assessment frameworks helps organizations to fast track the process of information security risk assessments. In this post, I am trying to list a number of information security risk assessment frameworks for easy reference.

List of Information Security Risk Assessment standards

the below list of information security risk assessment standards are not exclusive. These are standards I have some experience with and additions can be expected as and when I get a chance to explore other standards

NIST Risk Management Framework

NIST RMF is a framework where the information risk assessment in defined in a 6 step process. These steps are Categorize, Select, Implement, Assess, Authorise & Monitor. The approach is slightly different from other approaches. It is primarily developed for US government agencies, however it can be adapted to any organization

OCTAVE Risk Assessment framework

Operationally Critical threat, Asset and Vulnerability evaluation (OCTAVE) is a set of tools, techniques and methods for performing information security risk assessments. These tools is developed by CERT and Carnegie Mellon University in efforts towards information security development.

Under the OCTAVE risk assessment methodology information assets such as people, hardware, software and systems are considered for risk assessment. OCTAVE has different versions suitable for different size and type of the organizations. OCTAVE model is for large organizations while OCTAVE-S is for smaller organizations. OCTAVE . Allegro is a streamlined process focused towards information security risk assessments and assurance.

checkout the OCTAVE site for more information


FAIR Risk Assessment framework provides an avenue for understanding, analysing and measuring information risks. FAIR risk assessment method helps organizations in performing sophisticated what-if analysis, which is not very common in other models. This information security risk assessment standard helps you speaking in the management terms than the technical risk terms.

It should be noted that the full methodology is not publically available and not enough guides are available on educating the users about how to use the fair methodology for risk assessment. This leads to less adaption of this method within the information security community.

More details about the FAIR methodology is available here

TARA, Threat Agent Risk Assessment

TARA is developed by Intel who is making large investments in the IT Security product space. The TARA approach towards information security risks. The TARA methodology relies on three main
references to reach its predictive conclusions:

  • Threat agent library (TAL)
  • Common exposure library (CEL)
  • Methods and objectives library (MOL)

TARA Methodology is developed by Intel for performing their internal information security risk assessments and later it has been published to become public. TARA is focused on monitoring and assessing selected security controls in information systems on a continuous basis, including documenting changes to the systems, conducting security-impact analyses of the associated changes, and reporting the security status of the systems to appropriate organizational officials on a regular basis

Homeland Security has adapted TARA methodology in defining the Information Technology Sector Baseline Risk Assessment (ITSRA).

EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité)

EBIOS is a comprehensive set of guides (plus a free open source software tool) dedicated to Information System risk managers. Originally developed by the French government, it is now supported by a club of experts of diverse origin. This club is a forum on Risk Management, active in maintaining EBIOS guides. It produces best practices as well as application documents targeted to end-users in various contexts. EBIOS is widely used in the public as well as in the private sector, both in France and abroad. It is compliant with major IT security standards.

EBIOS gives risk managers a consistent and high-level approach to risks. It helps them acquire a global and coherent vision, useful for support decision-making by top managers on global projects (business continuity plan, security master plan, security policy), as well as on more specific systems (electronic messaging, nomadic networks or web sites for instance). EBIOS clarifies the dialogue between the project owner and project manager on security issues. In this way, it contributes to relevant communication with security stakeholders and spreads security awareness.

ISO/IEC 13335-2 (ISO/IEC 27005)

ISO/IEC 13335-2: Management of information and communications technology security – Part2: Information security risk management. Remark: This standard is currently under development; completion is expected for 2006. Subject to endorsement of ISO JTC1 the title will change to ISO/IEC 27005 “Information security risk management”

ISO/IEC IS 13335-2 is an ISO standard describing the complete process of information security Risk Management in a generic manner. The annexes contain examples of information security Risk Assessment approaches as well as lists of possible threats, vulnerabilities and security controls. ISO/IEC IS 13335-2 can be viewed at as the basic information Risk Management standard at international level, setting a framework for the definition of the Risk Management process.

SP800-30 (NIST)

This product is one of the Special Publication 800-series reports (NIST SP800-30). It gives very detailed guidance and identification of what should be considered within a Risk Management and Risk Assessment in computer security. There are some detailed checklists, graphics (including flowchart) and mathematical formulas, as well as references that are mainly based on US regulatory issues

There are many more risk assessment frameworks available. Most of the above risk assessment frameworks are free for download and use. When you decide on the risk assessment framework for your information security requirements, the above listed risk assessment frameworks may come handy. If you find anymore free and useful risk assessment framework, share it in the comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>