Abstract

Security in any system should be commensurate with its risks. However, the processes to determine which security controls are appropriate and cost effective are quite often a complex and sometimes a subjective matter. One of the prime functions of security risk analysis is to put this process onto a more objective basis. Every organization should consider what types of risk assessments are relevant to its objectives. The scope of risk assessment that management chooses to perform depends on priorities and objectives. It may be narrow and specific to a particular risk and the industry (e.g., financial, energy, transportation).