Our Approach and Methodology
SecureState believes that Security Risk is made up of several components:
- A Threat of some type, such as a malicious hacker or a piece
- A Vulnerability in some system, application, or other
organization asset which a Threat can exploit
- Controls which serve to diminish the ability of a Threat to
exploit a given Vulnerability
To perform a thorough assessment of risk all three of those components
need to be addressed. A Penetration Test or Vulnerability Assessment can be
leveraged to identify vulnerabilities. A PCI, HIPAA, or ISO 27001 audit can
identify controls, as can an INFOSEC assessment. Finally, a Threat
Assessment needs to be performed to identify threats to the organization, as
well as their likelihood and impact. By bringing all 3 components together,
an organization is able to identify their true residual iRisk.
Differing Risk Assessment Methodologies:
A number of existing methodologies for assessing information security
risk exist today: FAIR, OCTAVE, NIST 800-30, and ISO 27005, to name a few.
SecureState’s approach maps most closely to the approach layed out within
the ISO 27005 standard; which provides a high-level framework for risk
assessment, but leaves the implementation up to interpretation.
SecureState’s standard approach can be considered one implementation of this
One popular risk assessment approach is Factor Analysis of Information
Risk (FAIR). FAIR focuses on defining the actual “risk” itself, and provides
a quantitative framework for qualitative risk measurements. While
SecureState does not typically align with FAIR, this approach can be matched
with the iRisk methodology.
Operationally Critical Threat, Asset and Vulnerability Evaluation
(OCTAVE) is another popular approach. Originally developed in 2001 by
Carnegie Mellon University, OCTAVE is a fairly in-depth approach to
performing a Risk Assessment. Like FAIR, SecureState can perform a Risk
Assessment aligned with OCTAVE, however the time consuming nature of this
type of assessment is rarely within the budget of most organizations.
Finally, SecureState is able to perform a risk assessment which maps to
the guidance within NIST 800-30. Additional information on this can be found