New Qualitative Model Helps Measure Security Risk Reduction

Step 2: Identify controls

List the controls that you have used to mitigate the risks identified in Step 1.

A control is any action you have taken to prevent risks. This includes policies, procedures and technical controls. These are the controls for our small network example:

This network has three primary controls for ensuring integrity and availability (firewalls, anti-virus and network access control), and three primary controls for maintaining confidentiality and accountability (encryption, application access control and policy).

Step 3: Identify vulnerabilities

List the vulnerabilities of the current controls. A vulnerability is anything that reduces the effectiveness of a control or otherwise increases the likelihood of the risks occurring. Vulnerability can result from controls that are not configured correctly, controls that cannot be verified as effective, and missing controls.

In our example, these vulnerabilities underscore real-world problems with controls, such as: