Skip to main content



  • Risk management is one of the main missions of security teams.
  • ASF leverages risk assessment to prioritize actions. In agile terms, risk assessment provides the "business value" for security-related stories.
  • It is important to understand that the value of a story depends on each organization. Indeed, the risk appetite, and the risk sensitivity to each element of CIAT (Confidentiality - Integrity - Availability - Traceability) is highly variable. For example, for a press agency, integrity will be paramount, while confidentiality will be restricted to very specific information. This appreciation will be very different for a defense contractor.

Risk appreciation methodology

  • There are many valuable existing risk appreciation methodologies, including ISO27005, OpenFAIR, OWASP Risk Rating Methodology.
  • Any methodology that works well for the organization can be harnessed, as long as it provides a metric to compare and measure the risk associated with scenarios.