Risk Management Models

There are various Risk Management Models around, some of them discussed here:

General Risk Management Model: 

This five step general risk management model can be used in virtually any risk management process:

Step 1: Asset Identification

Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats. 

Step 2: Threat Assessment

After identifying assets, you identify both the threats and the vulnerabilities associated with each assets and the likelihood of their occurrence. All things have vulnerabilities; one of the key is to examine exploitable vulnerabilities. To list: CWE (from mitre.org), SANS Top 25 list, OWASP Top 10 list.. 

Step 3: Impact Determination and Quantification:

An impact is the loss created when a threat is realized and exploits a vulnerability. Tangible impact results in financial loss or physical damage. An intangible impact, such as impact on the reputation of a company, assigning a financial value can be difficult. 

Step 4: Control Design and Evaluation:

Determine the controls (also called countermeasure or safeguards) to put in place to mitigate risks. List of software control can be found in NIST SP 800-53

Step 5: Residual Risk Management:

A risk that remains after implementing controls is termed as residual risk. Multiple controls can be applied to achieve better defense posture through defense in depth.

Software Engineering Institute Model:

1. Identify:

Examine the system, enumerating potential risks.

2. Analyze:

Convert the risk data gathered into information that can be used to make decisions. Evaluate the impact, probability, and timeframe of the risk. Classify and prioritize each of the risks.

3. Plan: 

Review and evaluate the risks and decide what actions to take to mitigate them. Implement the plan.

4. Track:

Monitor the risks and the mitigation plans. Review periodically to measure progress and identify new risks.

5. Control:

Make corrections for deviations from risk mitigation plans. Changes in business procedures may require adjustments in plans or actions, as do faulty plans and risks that become problems.