Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Combine Security Risk Management Components Into One Program

With great risk management comes a great security program.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail

Your Challenge

  • Companies are aware of the need to discuss and assess risk, but many struggle to do so in a systematic and repeatable way.
  • Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.

Our Advice

Critical Insight

  • The best security programs are built upon defensible risk management. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting.
  • All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.

Impact and Result

  • Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face.
  • Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who makes the final decision on certain risks.
  • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project or initiative.
  • Tie together all aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and implement a security risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Establish the risk environment

Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level.

3. Build the security risk register

Catalog an inventory of individual risks to create an overall risk profile.

4. Communicate the risk management program

Communicate the risk-based conclusions and leverage these in security decision making.

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Establish the risk environment

Call #1 - Discuss current risk management processes in the organization.
Call #2 - Identify the organizational risk tolerance.

Guided Implementation #2 - Conduct threat and risk assessments

Call #1 - Build data element inventory.
Call #2 - Identify STRIDE threats.
Call #3 - Assign countermeasures and review final results.

Guided Implementation #3 - Build the security risk register

Call #1 - Establish a risk register and review risk assessment methodology.

Guided Implementation #4 - Communicate the risk management program

Call #1 - Review what reporting requirements are necessary per your risk management program.

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish the Risk Environment

The Purpose

  • Build the foundation needed for a security risk management program.
  • Define roles and responsibilities of the risk executive.
  • Define an information security risk tolerance level.

Key Benefits Achieved

  • Clearly defined roles and responsibilities.
  • Defined risk tolerance level.




Define the security executive function RACI chart.

  • Defined risk executive functions

Assess business context for security risk management.

  • Risk governance RACI chart

Standardize risk terminology assumptions.

  • Defined quantified risk tolerance and risk factor weightings

Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.


Decide on a custom risk factor weighting.


Finalize the risk tolerance level.


Begin threat and risk assessment.

Module 2: Conduct Threat and Risk Assessments

The Purpose

  • Determine when and how to conduct threat and risk assessments (TRAs).
  • Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

  • Developed process for how to conduct threat and risk assessments.
  • Deep risk analysis for one or two IT projects/initiatives.




Determine when to initiate a risk assessment.


Review appropriate data classification scheme.


Identify system elements and perform data discovery.

  • Define scope of system elements and data within assessment

Map data types to the elements.

  • Mapping of data to different system elements

Identify STRIDE threats and assess risk factors.

  • Threat identification and associated risk severity

Determine risk actions taking place and assign countermeasures.

  • Defined risk actions to take place in threat and risk assessment process

Calculate mitigated risk severity based on actions.


If necessary, revisit risk tolerance.


Document threat and risk assessment methodology.

Module 3: Continue to Conduct Threat and Risk Assessments

The Purpose

Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

Deep risk analysis for one or two IT projects/initiatives, as time permits.




Continue threat and risk assessment activities.


As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.

  • One to two threat and risk assessment activities performed

Review risk assessment results and compare to risk tolerance level.

  • Validation of the risk tolerance level

Module 4: Establish a Risk Register and Communicate Risk

The Purpose

  • Collect, analyze, and aggregate all individual risks into the security risk register.
  • Plan for the future of risk management.

Key Benefits Achieved

  • Established risk register to provide overview of the organizational aggregate risk profile.
  • Ability to communicate risk to other stakeholders as needed.




Begin building a risk register.

  • Risk register, with an inventory of risks and a macro view of the organization’s risk

Identify individual risks and threats that exist in the organization.


Decide risk responses, depending on the risk level as it relates to the risk tolerance.


If necessary, revisit risk tolerance.


Identify which stakeholders sign off on each risk.


Plan for the future of risk management.

  • Defined risk-based initiatives to complete

Determine how to present risk to senior management.

  • Plan for securing and managing the risk register