Trial lock

This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Sign in now

Security icon

Develop and Conduct Threat and Risk Assessments

If you don’t assess risk, you’re accepting it.

Unlock a Free Sample

View Storyboard

Solution Set Storyboard Thumbnail


  • Robert Banniza, Senior Director – IT Center Security, AMSURG
  • Robert Hawk, Information Security Expert, xMatters, inc
  • Joey LaCour, CISO, Colonial Savings, F.A.
  • Sky Sharma, Cyber Security Advocate
  • 1 additional anonymous contributor

Your Challenge

  • IT departments are tasked with implementing new projects or initiatives, but are often unsure how to assess the risk with these.
  • Often, stakeholders will have an informal discussion regarding any risks and make a final decision based on that.

Our Advice

Critical Insight

  • Informal, ad hoc discussions do not allow for informed risk assessments, which can affect how the organization as a whole manages risk.
  • Even for companies looking to adopt formal risk management, there are numerous frameworks and assessment techniques that offer best-practice advice but no clear methodology on how to complete a threat and risk assessment.
  • When evaluating risk, standardize your risk assumptions. There will be a need to establish clear definitions for frequency and impact of potential threats, and this will be useful across future risk assessments and across your risk environment.

Impact and Result

  • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project.
  • Determine what the scope of the assessment is and build frequency and impact definitions in order to have a repeatable process.
  • Make informed risk treatment decisions based on the results – whether to accept, transfer, mitigate, or terminate the risk.
  • Connect your threat and risk assessment results to your wider risk management program. Doing this can inform the organization as to the macro level of risk that it faces.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and conduct threat and risk assessments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Define the scope

Identify which assets and data types are within scope of your assessment, and determine your risk tolerance level.

2. Conduct the risk assessment

Define frequency and impact rankings, and then assess the risk of your project.

3. Communicate and manage results

Determine what risk decisions need to be made.

Guided Implementations

This guided implementation is a nine call advisory process.

Guided Implementation #1 - Define the scope

Call #1 - Determine when to initiate a risk assessment.
Call #2 - Define the scope of the assessment.
Call #3 - Identify the organizational risk tolerance.

Guided Implementation #2 - Conduct the risk assessment

Call #1 - Define frequency and impact.
Call #2 - Identify STRIDE threats.
Call #3 - Assign countermeasures and review final results.

Guided Implementation #3 - Communicate and manage results

Call #1 - Discuss potential risk action options.
Call #2 - Perform “what if” analysis with mitigations.
Call #3 - Connect to the risk management program.

Onsite Workshop

Discuss This Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Define the Scope

The Purpose

  • Define the scope of the threat and risk assessment, including data types and assets.
  • Determine the organizational risk tolerance.

Key Benefits Achieved

  • Scope is clearly laid out for the assessment of risk.
  • Risk tolerance has been identified, which will be needed to see if this particular project is above the tolerance level.




Determine when to initiate a threat and risk assessment.

  • Criteria to initiate a risk assessment.

Identify system elements and data types within scope of the assessment, and map data to elements.

  • Defined scope of assessment, including data mapped to system elements.

Define the organizational risk tolerance.

  • Defined risk tolerance level.

Module 2: Conduct the Risk Assessment

The Purpose

Assess the risk associated with the particular project.

Key Benefits Achieved

Understanding of the risk associated with the particular project or initiative.




Determine frequency and impact definitions.

  • Frequency and impact definitions, which can extend to entire risk environment.

Identify relevant threats to the project by using STRIDE.

  • Identified threats and their severity.

Determine risk actions being taken currently.


Identify current countermeasures and calculate mitigated risk severity.

  • Evaluation of effectiveness of current controls for this project and how it affects risk.

Review the results of the risk assessment.

  • Final results of the risk assessment.

Module 3: Communicate and Manage Results

The Purpose

Determine what risk decisions must be made as part of a larger risk management program.

Key Benefits Achieved

Understanding of how to proceed with the project, with risk-based decisions.




Proceed with project, if below risk tolerance, with comparison to macro risk level.


Determine appropriate risk actions, if above risk tolerance – whether to mitigate, transfer, terminate, or accept the risk.

  • Determination of what risk action to take.

Plan for mitigation against threats, if above risk tolerance, with a “what if” analysis.

  • Plan for new or improved mitigating controls to bring the threat severity to an acceptable level.

Enter results into risk register as part of risk management project.

  • Connection of results to the IT security risk register.

Search Code: 80367
Published: April 14, 2016
Last Revised: March 1, 2017