Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).

View the beta site
NIST logo

Publication Citation: Understanding Insecure IT: Practical Risk Assessment

NIST Authors in Bold

Author(s): Simon Liu; David R. Kuhn; Hart Rossman;
Title: Understanding Insecure IT: Practical Risk Assessment
Published: May 27, 2009
Abstract: IT systems have long been at risk from vulnerable software, malicious actions, or inadvertent user errors, in addition to run-of-the-mill natural and human-made disasters. As we discussed in the last issue ( Surviving Insecure IT: Effective Patch Management, pp. 49 51), effective patch management is essential for shoring up security vulnerabilities, but we ll still never witness perfect patch management and risk-free IT systems. Risk assessment is therefore critical for identifying, analyzing, and prioritizing IT security risks. Risk assessment involves gathering and evaluating risk information so that enterprise stakeholders can make mitigation decisions. Once we identify the risks, we can rank the probability of each one s occurrence and its impact on the organization. Some risks are more likely to occur than others, and different risks can affect an organization in different ways, so a practical risk assessment can help ensure that enterprises identify the most significant risks and determine the best actions for mitigating them.
Citation: IT Professional (IEEE)
Volume: 11
Issue: 3
Pages: pp. 57 - 59
Keywords: information security, risk assessment, risk management
Research Areas: Information Technology
DOI: http://dx.doi.org/10.1109/MITP.2009.62  (Note: May link to a non-U.S. Government webpage)
PDF version: PDF Document Click here to retrieve PDF version of paper (44KB)