ABSTRACT
First, risk analysis is core to understanding the state of information security that exists within the company. The process of risk analysis uncovers how well the control environment is protecting the information assets. Second, risk analysis helps organizations target the information security expenditures where they are most needed and are used to allocate funds to the appropriate security controls. Finally, risk analysis and management is very subjective in nature and tends to be more art than science. Even though the process may be more art than science, there are still processes that can be followed to increase the likelihood that the risk analysis will be useful to the organization and provide visibility into the risks that the organization is exposed to. Risk in inherent in everything that we do and there is no such thing as risk-free activity. The danger for an organization occurs when risks are being accepted implicitly without providing the visibility that the risk is being accepted.
