Common Risk-Assessment Methodologies and Templates

Table of contents:

Key Terms

Annualized Loss Expectancy (ALE)

The ALE is an annual expected financial loss to an organization's IT asset because of a particular threat being realized within that same calendar year.


Annualized Rate of Occurrence (ARO)

The ARO is a value that represents the estimated frequencyfor a given threat.


Asset Value (AV)

The AV is the actual dollar value that is put on the asset itself. Remember that for a data asset, the actual dollar value may be more than the value of the IT hardware, software, maintenance contracts, and so on.


Data classification standard

A standard that defines an organization's classification of its data assets. Typically, a data classification standard will dictate the level of minimum acceptable risk within the seven areas of information security responsibility.



A term used to describe a layered approach to information security for an IT infrastructure.


End User Licensing Agreement (EULA)

This is the software license that software vendors create to protect and limit their liability as well as hold the purchaser liable for illegal pirating of the software application. The EULA typically has language in it that protects the software manufacturer from software bugs and flaws and limits the liability of the vendor.


Exposure Factor (EF)

This is a subjective value that is defined by determining the percentage of loss to a specific asset due to a specific threat.


Qualitative Risk Assessment

A scenariobased assessment in which one scenario is examined and assessed for each critical or major threat to an IT asset.


Quantitative Risk Assessment

A methodical, step-by-step calculation of asset valuation, exposure to threats, and the financial impact or loss in the event of the threat being realized.


Risk Potential

The potential that a threat or vulnerability will be exploited.


Security Breach or Security Incident

The result of a threat or vulnerability being exploited by an attacker.


Security Controls

Policies, standards, procedures, and guideline definitions for various security control areas or topics.


Security Countermeasure

A security hardware or software technology solution that is deployed to ensure the confidentiality, integrity, and availability of IT assets that need protection.


Single Loss Expectancy (SLE)

A dollar-value figure that represents the organization's loss from a single loss or loss of this particular IT asset.


Software Bugs or Software Flaws

An error in software coding or its design that can result in software vulnerability.


Introduction to Assessing Network Vulnerabilities

Foundations and Principles of Security

Why Risk Assessment

Risk-Assessment Methodologies

Scoping the Project

Understanding the Attacker

Performing the Assessment

Tools Used for Assessments and Evaluations

Preparing the Final Report

Post-Assessment Activities

Appendix A. Security Assessment Resources

Appendix B. Security Assessment Forms

Appendix C. Security Assessment Sample Report

Appendix D. Dealing with Consultants and Outside Vendors

Appendix E. SIRT Team Report Format Template

Inside Network Security Assessment. Guarding your IT Infrastructure
Inside Network Security Assessment: Guarding Your IT Infrastructure
ISBN: 0672328097
EAN: 2147483647
Year: 2003
Pages: 138 © 2008-2020.
If you may any questions please contact us: