Security Risk Management Lesson

Dr Lawrie Brown

School of IT&EE, Australian Defence Force Academy, Canberra, Australia


This lesson presents an overview of IT security risk management, including the critical risk assessment process. This aims to identify threats to, impacts on, and vulnerabilities of, an organization's information and information processing facilities. It determines the likelihood of risks occurring and their consequences, in order that they may be controlled and minimised at an acceptable cost. Unfortunately, this process is often not managed well. We include an overview of some key international and national standards that provide guidance on this process, particularly ISO/IEC 13335 and NIST SP800-30. The lesson concludes with a "simplified case-study", walking through an example risk assessment for a hypothetical (though based on actual) organisation, using the process we have described.


Copyright © 2007 Lawrie Brown