Some key models that can be helpful for security risk assessment and management, depending on the context, include the following.
The NIST Cybersecurity Framework (CSF) is a risk-based framework that provides a common language and system for organizing and prioritizing cybersecurity activities. It consists of five core functions (Identify, Protect, Detect, Respond, and Recover), associated outcomes, and categories.
The ISO/IEC 27001 standard is a widely-adopted international standard that outlines a best-practice approach to information security management systems (ISMS). It includes a risk assessment and treatment process that can be used to identify, evaluate, and prioritize risks to the organization's information assets, and to determine appropriate controls to mitigate those risks.
The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method is a risk assessment method that focuses on operational risks and the critical assets of an organization. It involves a series of steps, including defining the scope of the assessment, identifying assets and vulnerabilities, assessing the likelihood and impact of threats, and determining appropriate controls and response plans.
The FAIR (Factor Analysis of Information Risk) model is a risk assessment and management model that focuses on quantifying and analyzing the likelihood and impact of potential losses to an organization. It uses a set of standard risk elements (threat events, vulnerabilities, consequences, and likelihood) to enable organizations to consistently and objectively evaluate risks and make informed decisions about how to manage them.
The STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) model is a risk assessment model that focuses on identifying and classifying threats to an organization's information systems. It identifies six categories of threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege). It can help organizations identify and prioritize risks and determine appropriate controls to mitigate those risks.
SRMBOK (Security Risk Management Body of Knowledge) is a framework that provides a comprehensive overview of the security risk management process. It includes a set of principles, processes, and practices for managing security risks in an organization. The framework comprises six key areas: governance, risk assessment, risk treatment, risk communication and consultation, risk monitoring and review, and risk management context.
ISO 31000 is an international standard that provides guidelines and general principles on risk management. It is designed to help organizations understand and manage risk systematically and to ensure that risk management is integrated into the organization's decision-making processes. The standard outlines a risk management process that includes: establishing the context, identifying and analyzing risks, evaluating and prioritizing risks, implementing controls to mitigate risks, and monitoring and reviewing risk management activities.