Risk Assessments, like threat models, are extremely broad in both how they’re understood and how they’re carried out. At the highest level, a Risk Assessment should involve determining what the current level of acceptable risk is, measuring the current risk level, and then determining what can be done to bring these two in line where there are mismatches. Risk Assessments commonly involve the rating of risks in two dimensions: probability and impact. Both quantitative and qualitative models are used. The goal of a Risk Assessment is to determine a course of action that will bring risk to an acceptable level. A Risk Assessment can be conducted independently or as part of a larger Enterprise Security Assessment.
Best Suited For: Organizations seeking to understand where their valuable data resides, how it can be attacked, what would be lost if those attacks were successful, and what should be done to address the issues.