Project Definition ◾ 49
© 2011 by Taylor & Francis Group, LLC
should be presented in a context that is understandable by the customer.
As such, a description should accompany the residual security risk state-
ment, for example, a range for quantitative security risk measurements or
managerial description for qualitative security risk approaches.
Adequate and Relevant Evidence—e results of a security risk assessment are
recommendations for changes at an organization. Prior to those changes
being implemented, the organization will likely scrutinize elements of the
security risk assessment report to ensure that the recommendations are
well founded. A quality security risk assessment report will contain ade-
quate and relevant evidence for its c ...