[bspirovski]

Every organization has some form of Information Security Risk assessment. Some perform a formal risk assessment, others simply use their practical experience. Whatever method is chosen, it always help to use a tool which will assist the organization in performing the risk assessment in a controlled and reproducible manner.

The tool
There aren't that many tools that assist the organization in performing risk assessment. The most widely used one is Excel, but it is far from a good choice. Microsoft has also created MS Threat Assessment and Modeling - a tool that although designed for a slightly different purpose, can easily be used for Risk Assessment.

The process
Performing risk assessment with MS TAM is easy once you understand the components and the process.
Components of the MS TAM Analysis

• Roles – Functional Identities involved in the assessed process/system; these can include both service identities and human identities
• Components – System elements used in the involved in the assessed process/system – most commonly servers or subsystems
• Data – Data stored and processed in the involved in the assessed process/system – in effect ANYTHING THAT TRAVERSES THE components
• External Dependencies – Any external elements including data, components or roles from other processes or systems
• Use Cases – the steps involved in operating the system/performing the process
• Relevancies – characteristics attributed to any component that relevant to the components method of operation and open a possible vector of attack
• Attacks – methods of compromising or destroying a component via misuse of characteristics of one or several relevancy attributed to the component

Full story
http://www.shortinfo...oft-threat.html