Principles and procedures of the LRAM approach to information systems risk analysis and management

Risk assessment methods vary in nature and depth. Their application to the evaluation of information security issues should be decided on the basis of their capability to provide answers to the fundamental questions concerning the design and implementation of security controls in specific information systems. Information systems risk analysis is discussed as a means of providing an objectively based approach for assessing and managing risk. As a decision making and risk assessment tool, rigorous risk analysis is not only capable of identifying potential losses that could be unacceptable for a given system, but it can be used to determine which specific security controls and counter measures can be effective and justifiable by management-set criteria. The Livermore Risk Analysis Methodology (LRAM) was developed in accord with these principles. Its model and procedures, from the identification of valuable assets to the prioritization and budgeting of proposed controls, are examined and discussed both from the technical and from the decision making/risk management perspectives.