What are the most commonly used risk assessment models for security analysis?

Narrative Scenarios: Incorporating narrative scenarios alongside qualitative models enhances the depth of risk analysis. Narratives provide context, helping stakeholders visualize potential threats and their impacts realistically. This approach engages decision-makers by illustrating specific risk events and their consequences, fostering a more nuanced understanding. While qualitative models provide a framework, narratives offer a qualitative layer, enriching risk discussions. By amalgamating narratives with tools like SWOT analysis, organizations gain a holistic view, fortifying decision-making by integrating expert opinions with compelling, real-world scenarios, ensuring a more comprehensive and insightful risk assessment process.

Threat is a function of intention and capability. We can't get to likelihood without this nuance. For instance, if I am a thief, I may want to rob a central bank, but I might stick to auto theft for now if I only have a crowbar and limited experience. Similarly, the impact depends on our vulnerability (security, predictability, and resilience). For instance, if that central bank's security is solid, but they change guards at a predictable time/pattern daily, then we have a weakness. Finally, when calibrating threat and vulnerability, steer clear of risk jargon, and ask people more simple questions - who, how, what. Ask us to rank things using numbers (%, a universal language), not complex words ("Negligible, improbable", etc.).

1. NIST Risk Management Framework (RMF) is a widely adopted risk assessment model developed by the National Institute of Standards and Technology (NIST) in the United States. 2. OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk assessment methodology developed by the Software Engineering Institute (SEI) at Carnegie Mellon University. 3. ISO 27005: ISO 27005 is a risk management standard within the ISO/IEC 27000 series. 4. FAIR (Factor Analysis of Information Risk) is an analytical framework for risk assessment and decision-making. 5. CIS RAM (Center for Internet Security Risk Assessment Method) is a risk assessment method developed by the Center for Internet Security (CIS).

1. OCTAVE 2. NIST SP 800-30 outlines a comprehensive risk assessment process that includes threat identification, vulnerability assessment, control analysis, likelihood determination, impact analysis, and risk determination. 3. ISO/IEC 27005 is an international standard for information security risk management. 4. FAIR (Factor Analysis of Information Risk) is a quantitative risk assessment model focused on measuring and analyzing information security risks in financial terms. 5. DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability)is a risk assessment model that assess software risks. 6. STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

A security risk assessment?identifies, assesses, and implements key security controls in applications. It also focuses on preventing application security defects and vulnerabilities. Carrying out a risk assessment allows an organization to view the application portfolio holistically—from an attacker's perspective.

The FAIR Methodology (Factor Analysis of Information Risk) is a valuable concept for quantifying security risks. In combination with a Bow-Tie analysis, this can be a powerful tool. We should remember that even though quantifying appears highly scientific, it is only as accurate as the people modeling it, and it can also be biased. I use quantification as an addition to better understand risks.

Risk management standards and expectations depend entirely on the use case and situation. There is no one-size-fits-all. For example, assessing risk for insider threats vs. assessing risk for human error in the workplace would look different. With insider threats, you're looking at social media and online platforms, your cybersecurity infrastructure, employee behavior and morale, performing background investigations, etc. And you're telling stakeholders these are some critical points to cover. With human error, it is more about ensuring that proper instructions are provided to employees so that they understand how to protect company property and stay safe in the workplace.

There are risk management frameworks and standards but then each organisation have to assess their needs and requirements and use those frameworks and standards in line to that. With AI and ML taking center stage, transforming risk management and assessment using these technologies definitely will give an extra advantage by looking at trends, patterns and predicting risks and taking actions.