Home > Federal > STMS > Risk Assessments (iRisk)

Security Threat Modeling & Simulation

Risk Assessment (iRisk)


It’s common to perform a single penetration vulnerability test and offer up a “risk rating” which provides only a partial view into a client’s true security risk. Based on its ten years of experience assessing entire security programs, SecureState has developed a suite of offerings around its Risk Equation to help a client understand where it truly stands in terms of Security Risk. Almost every client asks “what is my risk?”

  • The iRisk equation provides a client with a true assessment of its Security Risks
  • The iRisk equation connects Penetration Test results with Control Audits


Most organizations perform a number of different security assessments throughout the year; such as Penetration Tests and PCI Gap Assessments; with little effort to connect the results. All of these assessments are performed to assess our Security Program. By leveraging the iRisk equation, SecureState is able to tie together the results from these disparate assessments, as well as assessments which the client, or a 3rd party have performed to calculate the overall residual iRisk.

Another significant benefit in leveraging the iRisk equation is an understanding of what areas have not been assessed. If only penetration testing has been performed, an organization has no sense of what controls it may have in place. If only a control assessment has been performed, the organization has no understanding of what vulnerability it has and which threats it may face. Aligning with the iRisk equation provides a roadmap towards which assessments should be performed next.


SecureState consultants have experience with a wide variety of Risk Assessment methodologies including FAIR, OCTAVE, NIST, and ISO 27005. Our Profiling practice has a team of experts who perform custom vulnerability research and align ratings with the CVSS vulnerability rating system. Our audit practice contains consultants with years of experience performing HIPAA, PCI, ISO 27002, and many other control assessments. Additionally, SecureState’s Advisory Services practice has assisted numerous clients in performing Threat Assessments, as well as pulling together Threat, Vulnerability, and Control data to identify a client’s residual iRisk.

Did You Know?

  • SecureState’s approach to Risk Assessment will help a client to meet regulatory requirements such as PCI-DSS, HIPAA, and ISO 27001

Our Approach and Methodology

SecureState believes that Security Risk is made up of several components:

  • A Threat of some type, such as a malicious hacker or a piece of malware
  • A Vulnerability in some system, application, or other organization asset which a Threat can exploit
  • Controls which serve to diminish the ability of a Threat to exploit a given Vulnerability

To perform a thorough assessment of risk all three of those components need to be addressed. A Penetration Test or Vulnerability Assessment can be leveraged to identify vulnerabilities. A PCI, HIPAA, or ISO 27001 audit can identify controls, as can an INFOSEC assessment. Finally, a Threat Assessment needs to be performed to identify threats to the organization, as well as their likelihood and impact. By bringing all 3 components together, an organization is able to identify their true residual iRisk.

Differing Risk Assessment Methodologies:

A number of existing methodologies for assessing information security risk exist today: FAIR, OCTAVE, NIST 800-30, and ISO 27005, to name a few. SecureState’s approach maps most closely to the approach layed out within the ISO 27005 standard; which provides a high-level framework for risk assessment, but leaves the implementation up to interpretation. SecureState’s standard approach can be considered one implementation of this standard.

One popular risk assessment approach is Factor Analysis of Information Risk (FAIR). FAIR focuses on defining the actual “risk” itself, and provides a quantitative framework for qualitative risk measurements. While SecureState does not typically align with FAIR, this approach can be matched with the iRisk methodology.

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) is another popular approach. Originally developed in 2001 by Carnegie Mellon University, OCTAVE is a fairly in-depth approach to performing a Risk Assessment. Like FAIR, SecureState can perform a Risk Assessment aligned with OCTAVE, however the time consuming nature of this type of assessment is rarely within the budget of most organizations.

Finally, SecureState is able to perform a risk assessment which maps to the guidance within NIST 800-30. Additional information on this can be found here.

What Makes Us Different

  • SecureState ties together the work of Penetration Testers, Auditors, and other assessors to produce a single result
  • Our experienced staff members can perform a Risk Assessment which aligns with FAIR, OCTAVE, NIST, or ISO 27005 methodology

Related Services



We Can Help You