Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Understanding Insecure IT: Practical Risk Assessment



Simon Liu, D. Richard Kuhn, Hart Rossman


IT systems have long been at risk from vulnerable software, malicious actions, or inadvertent user errors, in addition to run-of-the-mill natural and human-made disasters. As we discussed in the last issue ( Surviving Insecure IT: Effective Patch Management, pp. 49 51), effective patch management is essential for shoring up security vulnerabilities, but we ll still never witness perfect patch management and risk-free IT systems. Risk assessment is therefore critical for identifying, analyzing, and prioritizing IT security risks. Risk assessment involves gathering and evaluating risk information so that enterprise stakeholders can make mitigation decisions. Once we identify the risks, we can rank the probability of each one s occurrence and its impact on the organization. Some risks are more likely to occur than others, and different risks can affect an organization in different ways, so a practical risk assessment can help ensure that enterprises identify the most significant risks and determine the best actions for mitigating them.
IT Professional (IEEE)


information security, risk assessment, risk management


Liu, S. , Kuhn, D. and Rossman, H. (2009), Understanding Insecure IT: Practical Risk Assessment, IT Professional (IEEE), [online],, (Accessed April 18, 2024)
Created May 26, 2009, Updated October 12, 2021