In assessing risks for an IT system, the first step is to define the scope of the effort. In this step, the boundaries of the IT system are identified, along with the resources and the information that constitute the system. Characterizing an IT system establishes the scope of the risk assessment effort, delineates the operational authorization (or accreditation) boundaries, and provides information (e.g., hardware, software, system connectivity and responsible division or support personnel) essential to defining the risk. The methodology described can be applied to assessments of single or multiple, interrelated systems.
The potential of the threat source to exercise the specific vulnerability. A vulnerability is the weakness in the system that can be accidentally triggered or intentionally exploited. A threat source does not present a risk when there is no vulnerability that can exercised.
Once the plausible threats are identified, a vulnerability assessment will be performed. The vulnerability assessment considers the potential impact of loss after a successful attack as well as the vulnerability of the facility / location to an attack.
To derive an overall likelihood rating that indicates the probability that a potential vulnerability maybe exercised within the construct of the associated threat environment, the following governing factors must be considered:(Threat source motivation and capability ,Nature of the vulnerability, Existence and effectiveness of the current controls)