However, there are many factors that are still unknown:

• What vulnerabilities exist on each system?

• Are there security controls that govern system configuration and operation?

• Where does risk exist in the environment?

• How severe is the risk?

Risk assessments are designed to enumerate and prioritize threats and vulnerabilities, examine the effectiveness of the security controls in place, and rate the existing risks in the environment.

Completing a risk assessment will answer the listed unknowns. Additionally, it will identify needed policy changes and new policies that need to be created.

The threat modeling process is used to identify and mitigate design security problems that could lead to system compromise.

By seeing the system through the eyes of an attacker, organizations can take the appropriate steps to correct any design flaws.

Completing these activities gives an organization a clear understanding of what risks are present and what steps need to be taken to mitigate them.

If you've had a risk assessment done in the past go back and review the results. What steps have been taken to mitigate the identified risks?

Likely, it will require some updates, though. Risk assessments should be performed periodically and certainly after any significant change to the IT or business environments.