Security Risk Management Overview

Dr Lawrie Brown
School of IT&EE, Australian Defence Force Academy, Canberra, Australia

Last updated: 10 Feb 2004


This talk will present a brief overview of security risk management, including the critical risk assessment process. This aims to identify threats to, impacts on and vulnerabilities of information and information processing facilities and the likelihood of their occurence, in order that these threats may be controlled and minimised at an acceptable cost. Unfortunately, this process is often not managed well. Relevant international and national standards will be mentioned which provide guidance on this process. Then an overview of the process, as outlined in DSD ACSI 33, and mandated for commonwealth government use, will be presented as more detailed guidance for those who need to undertake such a process.


  1. Introduction
  2. Risk Management
  3. Risk Analysis
  4. Risk Analysis Scope
  5. Risk Analysis IS Necessary
  6. AusCERT Crime 2003 - Security Standards
  7. AS/NZS ISO/IEC 17799:2001 Information technology - Code of practice for information security management
  8. AS/NZS ISO/IEC 17799:2001 Major Sections
    1. Scope
    2. Terms and Definitions
    3. Security Policy
    4. Organizational Security
    5. Asset Classification and Control
    6. Personnel Security
    7. Physical and Environmental Security
    8. Communications and Operations Management
    9. Access Control
    10. Systems Development and Maintenance
    11. Business Continuity Management
    12. Compliance

      Here is the list of major sections in 17799, taken from its Contents table.

  9. AS/NZS 7799.2:2002 - Information security management - Part 2: Specification for information security management systems
  10. AS/NZS 4360:1999 - Risk management
  11. HB 231:2000 - Information Security Risk Management Guidelines
  12. ACSI33 - Australian Communications-Electronic Security Instruction 33 - Government IT Security Manual
  13. Risk Management Process - AS4360 vs AS7799.2
  14. The Risk Assessment Process in more Detail
  15. Stage 1: Establishing the Context
  16. Asset Identification (in step 5 above)
  17. Stage 2: Identifying the Threats / Risks
  18. Identifying Threats / Risks
  19. Stage 3: Analysing the Risks
  20. Consequence Determination
  21. Likelihood Determination
  22. Risk Matrix
  23. Overall Level of Risk
  24. Stage 4: Assessing & Prioritising Risks
  25. Stage 5: Determining Appropriate Controls
  26. Possible Controls
  27. Determining Appropriate Controls
    1. Write the unacceptable identified risks from the risk register in priority order in a control register.
    2. Record one or more appropriate controls for each risk on the risk worksheet.
    3. Perform a cost/benefit analysis and write accept or reject against each control in the risk worksheet.
    4. Calculate the residual risk rating taking into consideration the effect of the accepted control/s.
    5. Assess the residual risk rating according to the criteria recorded on the risk register and update the risk register.
    6. Record the accepted controls in the control register.
  28. TRA Executive Summary Example


  1. Conclusion
  2. References
    Talk Outline:

    ACSI33 (2000)
    DSD, ACSI33, "Government IT Security Manual", (2000)
    Draft ACSI33 (2004)
    DSD, ACSI33, "Government IT Security Manual Draft", (2004)
    DSD Library
    DSD Library,

    AS/NZS ISO/IEC 17799:2001
    ISO/IEC, "AS/NZS ISO/IEC 17799:2001 - Information technology - Code of practice for information security management"
    AS/NZS 7799.2:2003
    Standards Australia, "AS/NZS 7799.2:2003 - Information security management - Specification for information security management systems"
    AS/NZS 4360:1999
    Standards Australia, "AS/NZS 4360:1999 : Risk management".
    SA HB 231:2000
    Standards Australia, "HB 231:2000 - Information Security Risk Management Guidelines".

    AusCERT -
    AUSCERT Crime03
    AusCERT - 2003 Australian Computer Crime and Security Survey
    SANS (System Administration, Networking, and Security) Institute -

Copyright © Dr Lawrie Brown / 10 Feb 2004