Skip to Main Content
Risk analysis is, at best, a good general-purpose yardstick by which we can judge our security design's effectiveness. Because roughly 50 percent of security problems are the result of design flaws, performing a risk analysis at the design level is an important part of a solid software security program. Taking the trouble to apply risk-analysis methods at the design level for any application often yields valuable, business-relevant results. The risk analysis process is continuous and applies to many different levels, at once identifying system-level vulnerabilities, assigning probability arid impact, arid determining reasonable mitigation strategies. The paper looks at how, by considering the resulting ranked risks, business stakeholders can determine how to manage particular risks and what the most cost-effective controls might be.