Liu, S.
, Kuhn, D.
and Rossman, H.
(2009),
Understanding Insecure IT: Practical Risk Assessment, IT Professional (IEEE), [online], https://doi.org/10.1109/MITP.2009.62, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=902426 (Accessed May 9, 2026)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Understanding Insecure IT: Practical Risk Assessment
Published
Author(s)
Simon Liu, , Hart Rossman
Abstract
IT systems have long been at risk from vulnerable software, malicious actions, or inadvertent user errors, in addition to run-of-the-mill natural and human-made disasters. As we discussed in the last issue ( Surviving Insecure IT: Effective Patch Management, pp. 49 51), effective patch management is essential for shoring up security vulnerabilities, but we ll still never witness perfect patch management and risk-free IT systems. Risk assessment is therefore critical for identifying, analyzing, and prioritizing IT security risks. Risk assessment involves gathering and evaluating risk information so that enterprise stakeholders can make mitigation decisions. Once we identify the risks, we can rank the probability of each one s occurrence and its impact on the organization. Some risks are more likely to occur than others, and different risks can affect an organization in different ways, so a practical risk assessment can help ensure that enterprises identify the most significant risks and determine the best actions for mitigating them.Citation
IT Professional (IEEE)
Volume
11
Issue
3
Pub Type
Journals
Download Paper
Keywords
information security, risk assessment, risk management
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created May 26, 2009, Updated October 12, 2021