As it is impossible to eliminate all the risks, organizations may hope that a perceived risk can be reduced if risk advice can be obtained through a risk assessment. Therefore, risk management plays a critical role in protecting an organization's information assets. Risk management is a process that covers both an assessment phase and a mitigation phase. In the assessment phase adequate methods and tools are required to determine quantitative results. In the traditional approaches the probability of occurrence of a risk is multiplied by its perceived impact to form a loss expectancy figure.
In the domain of information systems and information security management the risk assessment phase is more complicated. As information security threats are constantly evolving, use of historical or statistical figures to estimate the probability of occurrence of a specific risk may present in faulty conclusions. Currently, data repositories like the National Vulnerability Database by National Institute of Standards and Technology (NIST) are used. In some examples, available automated tools are used to determine vulnerability assessments. Most of the time, these measures tend to be geared toward security professionals and usually are not suitable for managerial decision making, which are commonly driven by compliance requirements rather than the risk management thought processes. Suitable outcomes are expected from such tools and methods to help management make decisions, prioritize resources and develop mitigation strategies against the occurrence of such risks related with the information assets of a company, however most of the time that is not the case.
U.S. National Security Agency (NSA)'s Mission Oriented Risk and Design Analysis (MORDA) provides a framework for analyzing complex information security risk postures. MORDA combines threat, attack and mission impact concepts to derive an unbiased risk metric, so the enterprise objectives in the form of missions are embedded within this framework. Identification of enterprise objectives has not been defined explicitly within MORDA.
Another critical aspect of information security threats is their ever changing nature that evolves at a tremendous pace. In addition to that the interconnected nature of information assets presents an additional dimension of complexity in the form of a requirement for cascaded and parallel analysis of threats against the information assets.
The attack tree approach is suitable to address such architectural complexities in a dynamic manner. Attacks are modeled through the use of a graphical, mathematical, decision tree structure called an attack tree. Similar studies exist that utilize attack graphs instead of attack trees. A known issue with attack trees (and graphs) is that for systems that include numerous information resource elements the task becomes cumbersome and the scalability of the approach becomes limited within large enterprises.