Our systems detected an issue with your IP. If you think this is an error please submit your concerns via our contact form.

Security icon

Develop and Conduct Threat and Risk Assessments

If you don’t assess risk, you’re accepting it.

  • IT departments are tasked with implementing new projects or initiatives, but are often unsure how to assess the risk with these.
  • Often, stakeholders will have an informal discussion regarding any risks and make a final decision based on that.

Our Advice

Critical Insight

  • Informal, ad hoc discussions do not allow for informed risk assessments, which can affect how the organization as a whole manages risk.
  • Even for companies looking to adopt formal risk management, there are numerous frameworks and assessment techniques that offer best-practice advice but no clear methodology on how to complete a threat and risk assessment.
  • When evaluating risk, standardize your risk assumptions. There will be a need to establish clear definitions for frequency and impact of potential threats, and this will be useful across future risk assessments and across your risk environment.

Impact and Result

  • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project.
  • Determine the scope of the assessment and build frequency and impact definitions in order to have a repeatable process.
  • Make informed risk treatment decisions based on the results – whether to accept, transfer, mitigate, or terminate the risk.
  • Connect your threat and risk assessment results to your wider risk management program. Doing this can inform the organization as to the macro level of risk that it faces.

Develop and Conduct Threat and Risk Assessments Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and conduct threat and risk assessments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Develop and Conduct Threat and Risk Assessments – Executive Brief
Develop and Conduct Threat and Risk Assessments – Phases 1-3

1. Define the scope

Identify which assets and data types are within scope of your assessment, and determine your risk tolerance level.

Develop and Conduct Threat and Risk Assessments – Phase 1: Define the Scope
Threat and Risk Assessment Process Template
Threat and Risk Assessment Tool

2. Conduct the risk assessment

Define frequency and impact rankings, and then assess the risk of your project.

Develop and Conduct Threat and Risk Assessments – Phase 2: Conduct the Risk Assessment

3. Communicate and manage results

Determine what risk decisions need to be made.

Develop and Conduct Threat and Risk Assessments – Phase 3: Manage and Communicate Risk Results
Develop and Conduct Threat and Risk Assessments preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 9 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Define the scope
  • Call 1: Determine when to initiate a risk assessment.
  • Call 2: Define the scope of the assessment.
  • Call 3: Identify the organizational risk tolerance.

Guided Implementation 2: Conduct the risk assessment
  • Call 1: Define frequency and impact.
  • Call 2: Identify STRIDE threats.
  • Call 3: Assign countermeasures and review final results.

Guided Implementation 3: Communicate and manage results
  • Call 1: Discuss potential risk action options.
  • Call 2: Perform “what if” analysis with mitigations.
  • Call 3: Connect to the risk management program.

Authors

Filipe De Souza

Cameron Smith

Contributors

  • Robert Banniza, Senior Director – IT Center Security, AMSURG
  • Robert Hawk, Information Security Expert, xMatters, inc
  • Joey LaCour, CISO, Colonial Savings, F.A.
  • Sky Sharma, Cyber Security Advocate, skysharma.net
  • 1 additional anonymous contributor


Related Content: Governance, Risk & Compliance

Visit our Exponential IT Research Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019
© Info-Tech Research Group | Terms of Use | Privacy Policy