The process of managing risks associated with the use of information technology is called security risk management. It involves identifying, assessing, and treating risks to the confidentiality, integrity, and availability of an organization’s assets. 

​

• Total Risk = Threat x Vulnerabilities x Asset Value

​

• Organizations should not expect to eliminate all risks but rather should ensure to maintain an acceptable level of residual risk. 

​

• Residual Risk = Total Risk – Countermeasures

​

• Threat Modeling provides a structure for informed decision making about risk management