Risk Assessment Methodologies

Given my position as a senior information technology analyst, my company has charged me with the task of developing a risk assessment methodology. My organization has approximately 250 employees, and each of them uses his/her own terminal to access the organization’s network. Similarly, the company has ten wireless access point for those who have portable devices. The company will effectively create a secure computing environment by ensuring its employees understand risks and apply risk assessment methodology. However, the situation remains a challenge to most organizations because of the changing nature of technology, growth of the internet and the negative attitudes towards the tasks. Risk assessment refers to the structured and systematic procedure information technology analysts use to gather inputs regarding business hazards, vulnerability, risks and controls with the view of producing a risk magnitude that the team can discuss, control and avoid (Gantz & Philpott, 2013). The paper seeks to examine various risk assessment methodologies and adopt one methodology that is appropriate for the organization.

The first risk assessment methodology is the National Institute of Standards and Technology (NIST). The approach requires a working team of skilled security analysts, system owners and technical experts. The role of the team is to identify, evaluate and manage risk in the organization’s IT system. The processes in this methodology are comprehensive and entail the following. First, analysts engage in system characterization to collect information relevant to IT system. Threat identification involves getting information about actions and sources of threats (Gantz & Philpott, 2013). Threat sources include human, environment and natural. Vulnerability identification involves verifying whether security standards in the IT system are fulfilled. Moreover, NIST offers control analysis and likelihood determination. The next step is impact analysis that requires information about the system’s value to the organization. Next, risk determination involves assessment of the risk after which analysts will provide control recommendations and results documentation.

Second, the Operational Critical, Threat, Asset and Vulnerability Evaluation process (OCTAVE) is a workshop-based risk assessment methodology that helps organizations to manage and protect themselves from risks associated with information security. The method requires participants to understand the risk and its components (Gantz & Philpott, 2013). Therefore, with a workshop-based approach, it is the responsibility of the organization to make decisions regarding the outcome of the risk assessment process. Phase 1 of the workshop-based approach entails gathering knowledge on important protection strategies, assets, and threats from senior managers (Gantz & Philpott, 2013). The second phase involves gathering knowledge from operational area manager, and the processes include key components and evaluation of selected components. The third phase entails gathering knowledge from staff, and the processes include conducting risk analysis and developing protection strategy. The results of this process include protection strategy, mitigation plan, and action list.

The third process is the Facilitated Risk Assessment (FRAP). The process is costly when implementing risk management techniques. The methodology uses questionnaire, vulnerability, threat and hazard analysis in its process (Kim & Solomon, 2016). In addition, FRAP emphasizes on a pre-screening system, and it is used to perform a formal risk assessment exercise on IT systems when warranted. Lastly, FRAP uses business impact analysis to tie risk to impact as a platform for determining the effect.

Fourth, Consultative, Objective and Bio-functional Risk Analysis process (COBRA) is an approach that considers risk assessment as a business problem rather than a technical issue. The primary products of approach are Risk Consultant and ISCO Compliance (Kim & Solomon, 2016). Risk Consultant consists of knowledge bases and built-in templates and users can use them to develop questionnaires and obtain information on threats, types of assets, vulnerability, and control. Examples of main knowledge bases include e-Security, IT security, operational risk and quick risk. The fifth methodology is the Risk Watch. The tool uses an expert knowledge database that guides users through a risk assessment (Gantz & Philpott, 2013). Besides, it offers compliance reports and means to manage risks. In addition, the tool includes statistical information that helps to support quantitative risk assessment.

The table below is a risk level matrix that provides information on threat likelihood and threat impact. A high risk is given by >50 to 100, medium risk is >10 to 50 while low risk is 1 to 10 (Nikolić & Ružić-Dimitrijević, 2009).

Threat Likelihood                                                     Impact
Low (10) Medium (50) High (1000
High (1.0) Low






Medium (0.5) Low






Low (0.1) Low






(Nikolić & Ružić-Dimitrijević, 2009)

The methodology that my company will adopt is the OCTAVE approach. The two variants of this approach are OCTAVE-S and OCTAVE Allegro. The organization will adopt this methodology because of the following reasons. First, the process can be implemented in parts (Kim & Solomon, 2016). Due to its exhaustive nature, the company can choose to implement portions of the tasks that they find appropriate. Second, the process offers a comprehensive consolidation of the threat profile (Kim & Solomon, 2016). Therefore, in most scenarios, this provides the primary intelligence for threat mitigation. Lastly, when using the method one does not need to focus on all assets thus saving time and allows the analysts to keep the scope relevant to the issue under consideration.



Gantz, S. D., & Philpott, D. R. (2013). FISMA and the risk management framework: The new practice of federal cyber security. Boston: Syngress.

Kim, D., & Solomon, M. G. (2016). Fundamentals of information systems security. Burlington, Massachusetts: Jones & Bartlett Publishers.

Nikolić, B., & Ružić-Dimitrijević, L. (2009). Risk assessment of information technology systems. Issues in Informing Science and Information Technology, 6, 595-615.




Do you need an Original High Quality Academic Custom Essay?