Develop a Security Risk Management Program

Build a strong risk management foundation for your information security program. 

If you're already a member, click here to log in.

Major Business Pain Points

  • Companies are aware of the need to discuss and assess risk, but many struggle to do so in a systematic and repeatable way. 
  • Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure. 
Develop a Security Risk Management Program-Pain Points


Key Points

  • The best security programs are built upon defensible risk management.With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting. 
  • All risks can be quantified. Security, compliance, legal, or other risks can be quantified using the methodology. 
Develop a Security Risk Management Program-Recommendations


  • Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face. 
  • Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who makes the final decision on certain risks. 
  • Use the risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project or initiative. 
  • Tie together all aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models. 

Methodology and Tools

Executive Brief

Read the concise Executive Brief to find out why you should develop and implement a security risk management program and review the methodology. 

  • Develop a Security Risk Management Program – Executive Brief
  • Develop a Security Risk Management Program – Phases 1-4

1. Establish the risk environment

Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level. 

  • Develop a Security Risk Management Program – Phase 1: Establish the Risk Environment
  • Security Risk Governance Responsibilities and RACI Template
  • Risk Tolerance Determination Tool
  • Risk Weighting Determination Tool

2. Conduct threat and risk assessments

Define frequency and impact rankings then assess the risk of your project.

  • Develop a Security Risk Management Program – Phase 2: Conduct Threat and Risk Assessments 
  • Threat and Risk Assessment Process Template
  • Threat and Risk Assessment Tool

3. Build the security risk register 

Catalog an inventory of individual risks to create an overall risk profile. 

  • Develop a Security Risk Management Program – Phase 3: Build the Security Risk Register 
  • Security Risk Register Tool

4. Communicate the risk management program 

Communicate the risk-based conclusions and leverage these in security decision making. 

  • Develop a Security Risk Management Program – Phase 4: Communicate the Risk Management Program
  • Security Risk Management Presentation Template
  • Security Risk Management Summary Template

All resources on this page are provided to Cyber Leadership Hub members under license from third parties including Info-Tech Research Group Inc, a global leader in providing IT research and advice.