Definition: The phrase, Risk Assessment, when used in the context of information security, relates to a formal study of the threat matrix faced by an information infrastructure. Part of the analysis includes the likelihood that damage will occur and an estimate of the potential loss. A risk assessment also must examine vulnerabilities. The costs of securing an information infrastructure may be prohibitive and a structured analysis of what might be lost allows the system owner to determine what information can be harmed without losing business continuity. An appropriate security infrastructure can be fashioned based upon the study’s findings.
Its Relevance: An organization’s information security policies should include a detailed section on how assessment should occur. By conducting a review the infrastructure owner better understands required mitigations and existing security gaps. Threats must be compared with the cost of mitigations as measured against financial losses and other factors.