IT systems have long been at risk from vulnerable software, malicious actions, or inadvertent user errors, in addition to run-of-the-mill natural and human-made disasters. As we discussed in the last issue ( Surviving Insecure IT: Effective Patch Management, pp. 49 51), effective patch management is essential for shoring up security vulnerabilities, but we ll still never witness perfect patch management and risk-free IT systems. Risk assessment is therefore critical for identifying, analyzing, and prioritizing IT security risks. Risk assessment involves gathering and evaluating risk information so that enterprise stakeholders can make mitigation decisions. Once we identify the risks, we can rank the probability of each one s occurrence and its impact on the organization. Some risks are more likely to occur than others, and different risks can affect an organization in different ways, so a practical risk assessment can help ensure that enterprises identify the most significant risks and determine the best actions for mitigating them.
, Kuhn, D.
and Rossman, H.
Understanding Insecure IT: Practical Risk Assessment, IT Professional (IEEE), [online], https://doi.org/10.1109/MITP.2009.62, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=902426
(Accessed June 10, 2023)