Get Instant Access
to This Blueprint

Security icon

Develop and Conduct Threat and Risk Assessments

If you don’t assess risk, you’re accepting it.

  • IT departments are tasked with implementing new projects or initiatives, but are often unsure how to assess the risk with these.
  • Often, stakeholders will have an informal discussion regarding any risks and make a final decision based on that.

Our Advice

Critical Insight

  • Informal, ad hoc discussions do not allow for informed risk assessments, which can affect how the organization as a whole manages risk.
  • Even for companies looking to adopt formal risk management, there are numerous frameworks and assessment techniques that offer best-practice advice but no clear methodology on how to complete a threat and risk assessment.
  • When evaluating risk, standardize your risk assumptions. There will be a need to establish clear definitions for frequency and impact of potential threats, and this will be useful across future risk assessments and across your risk environment.

Impact and Result

  • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project.
  • Determine the scope of the assessment and build frequency and impact definitions in order to have a repeatable process.
  • Make informed risk treatment decisions based on the results – whether to accept, transfer, mitigate, or terminate the risk.
  • Connect your threat and risk assessment results to your wider risk management program. Doing this can inform the organization as to the macro level of risk that it faces.

Develop and Conduct Threat and Risk Assessments Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop and conduct threat and risk assessments, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

1. Define the scope

Identify which assets and data types are within scope of your assessment, and determine your risk tolerance level.

2. Conduct the risk assessment

Define frequency and impact rankings, and then assess the risk of your project.

3. Communicate and manage results

Determine what risk decisions need to be made.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.




$ Saved

Days Saved

Equity Settlement Services

Guided Implementation




Workshop: Develop and Conduct Threat and Risk Assessments

Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish the Risk Environment

The Purpose

  • Build the foundation needed for a security risk management program.
  • Define roles and responsibilities of the risk executive.
  • Define an information security risk tolerance level.

Key Benefits Achieved

  • Clearly defined roles and responsibilities.
  • Defined risk tolerance level.




Define the security executive function RACI chart.

  • Defined roles and responsibilities for the risk executive

Assess your organizational risk culture.


Perform a cursory assessment of management risk culture.


Standardize impact terminology.

  • Standardized impact terminology to be used throughout the risk model

Define frequency or impact thresholds outside of individual risk tolerance level.

  • Defined frequency and impact thresholds to be used throughout the risk model

Evaluate risk scenarios to determine risk tolerance level.


Optimize the sensitivity of your screening test.


Decide on a custom weighting.


Finalize the risk tolerance level.

  • Defined risk tolerance level

Module 2: Conduct Threat and Risk Assessments

The Purpose

  • Determine when and how to conduct threat and risk assessments (TRAs).
  • Complete one or two TRAs, as time permits during the workshop.

Key Benefits Achieved

  • Developed process for how to conduct threat and risk assessments.
  • Deep risk analysis for one or two IT projects/initiatives, as time permits.




Determine when to initiate a risk assessment and which project/initiative will be assessed.

  • Established criteria for when to conduct risk assessments

Review appropriate data classification scheme.


Identify system elements and perform data discovery.

  • Defined scope of the threat and risk assessment

Map data types to the elements.


Identify STRIDE threats and assign rankings.

  • Identified threats to the particular project and defined current severity level

Determine risk actions taking place and assign countermeasures.

  • Defined actions to review and/or reduce risk

Calculate mitigated risk severity based on actions.

  • Defined mitigated risk severity level

Review results and form risk-based decisions.

  • Final decisions made based upon the final risk assessment results

Module 3: Build a Security Risk Register

The Purpose

  • Collect, analyze, and aggregate all individual risks into the security risk register.
  • Plan for the future of risk management.

Key Benefits Achieved

  • Established risk register to provide overview of the organizational aggregate risk profile.
  • Ability to communicate risk to other stakeholders as needed.




Begin building a risk register.

  • Established risk register document.

Identify risks and threats that exist in the organization.

  • Identification of risks beyond that of the TRAs alone.

Identify which stakeholders sign off on each risk.


Review the aggregate risk level of the entire organization.

  • Understanding of the aggregate level of risk.

Act upon risk results, depending on the aggregate level as it relates to the risk tolerance.


If necessary, revisit risk tolerance.


Plan for the future of risk management.

Develop and Conduct Threat and Risk Assessments preview picture

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Speak With An Analyst

Get the help you need in this 3-phase advisory process. You'll receive 9 touchpoints with our researchers, all included in your membership.

Guided Implementation 1: Define the scope
  • Call 1: Determine when to initiate a risk assessment.
  • Call 2: Define the scope of the assessment.
  • Call 3: Identify the organizational risk tolerance.

Guided Implementation 2: Conduct the risk assessment
  • Call 1: Define frequency and impact.
  • Call 2: Identify STRIDE threats.
  • Call 3: Assign countermeasures and review final results.

Guided Implementation 3: Communicate and manage results
  • Call 1: Discuss potential risk action options.
  • Call 2: Perform “what if” analysis with mitigations.
  • Call 3: Connect to the risk management program.


Filipe De Souza

Cameron Smith


  • Robert Banniza, Senior Director – IT Center Security, AMSURG
  • Robert Hawk, Information Security Expert, xMatters, inc
  • Joey LaCour, CISO, Colonial Savings, F.A.
  • Sky Sharma, Cyber Security Advocate,
  • 1 additional anonymous contributor

Visit our IT Cost Optimization Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019