Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgements concerning the extent of actions needed to reduce risk. For example, bank officials have conducted risk assessments to manage the risk of default associated with their loan portfolios, and nuclear power plant engineers have conducted such assessments to manage risks to public health and safety. As reliance on computer systems and electronic data has grown, information security risk has joined the array of risks that governments and businesses must manage. Regardless of the types of risk being considered, all risk assessments generally include the following elements.

• Identifying threats that could harm and, thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters.
• Estimating the likelihood that such threats will materialise based on historical information and judgement of knowledgeable individuals.
• Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialise in order to determine which operations and assets are the most important.
• Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materialises, including recovery costs.
• Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organisational policies and procedures as well as technical or physical controls.
• Documenting the results and developing an action plan.