From a cybersecurity standpoint, organizations are operating in a high-risk world. The ability to assess and manage risk has perhaps never been more important. \u201cHaving a risk management framework is essential, because risk can never be totally eliminated; it can only be effectively managed,\u201d says Arvind Raman, CISO at telecommunications company Mitel Networks. \u201cWhen it isn\u2019t, organizations will likely find themselves the target of a data breach or ransomware attack, or be vulnerable to any number of other security issues.\u201dThe most critical consideration in selecting a framework is ensuring that it\u2019s \u201cfit for purpose\u201d and best suited for the intended outcomes, says Andrew Retrum, managing director in the cybersecurity and privacy practice at consulting firm Protiviti. \u201cIt\u2019s also beneficial to select frameworks that are well known and understood already within the organization,\u201d Retrum says.\u00a0\u201cThis enables more consistent and efficient use of the framework and allows individuals across the organization to speak a consistent language.\u201dThere\u2019s no shortage of risk-assessment frameworks organizations can leverage to help guide security and risk executives. Here's a look at some of the most prominent of these frameworks, each designed to address specific risk areas.NIST Risk Management FrameworkThe Risk Management Framework (RMF) from the National Institute of Standards and Technology (NIST) provides a comprehensive, repeatable, and measurable seven-step process organizations can use to manage information security and privacy risk. It links to a suite of NIST standards and guidelines to support the implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA). \u00a0RMF provides a process that integrates security, privacy, and supply chain\u00a0risk management activities into the system development lifecycle, according to NIST. It can be applied to new and legacy systems,\u00a0any type of system or technology including internet of things (IoT) and control systems, and within any type of organization regardless of size or sector. The seven RMF steps are:Prepare, including essential activities to\u00a0prepare\u00a0the organization to manage security and privacy risks.Categorize, which involves sorting systems and information that\u2019s processed, stored, and transmitted based on an impact analysis.Select, which is selecting the set of NIST SP 800-53 controls to protect systems based on risk assessment;Implement, deploying the controls and documenting how they are deployed.Assess, to determine if the controls are in place, operating as intended, and producing the desired results.Authorize, where a senior executive makes a risk-based decision to authorize the system to operate.Monitor, which involves continuously monitoring control implementation and risks to systems.\u201cNIST RMF can be tailored to organizational needs,\u201d Raman says. It is frequently assessed and updated, and many tools support the standards developed. It\u2019s vital that IT professionals \u201cunderstand when deploying NIST RMF it is not an automated tool, but a documented framework that requires strict discipline to model risk properly.\u201dNIST has produced several risk-related publications that are easy to understand and applicable to most organizations, says Mark Thomas, president of Escoute Consulting and a speaker for the Information Systems Audit and Control Association (ISACA). \u201cThese references provide a process that integrates security, privacy, and cyber supply chain risk management activities that assists in control selection and policy development,\u201d he says.\u00a0\u201cSometimes thought of as guides for government entities, NIST frameworks are powerful reference for government, private, and public enterprises.\u201dOCTAVEThe Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), developed by the Computer Emergency Readiness Team (CERT) at Carnegie Mellon University, is a framework for identifying and managing information security risks. It defines a comprehensive evaluation method that allows organizations to identify the information assets that are important to their goals, the threats to those assets, and the vulnerabilities that might expose those assets to the threats.By putting together the information assets, threats, and vulnerabilities, organizations can begin to understand what information is at risk. With this understanding, they can design and deploy strategies to reduce the overall risk exposure of information assets.Two versions of OCTAVE are available. One is OCTAVE-S, a simplified methodology designed for smaller organizations that have flat hierarchical structures. The other is OCTAVE Allegro, which is a more comprehensive framework suitable for large organizations or those that have complex structures.\u00a0\u201cOCTAVE is a well-designed risk assessment framework because it looks at security from a physical, technical, and human resource perspective,\u201d Raman says. \u201cIt identifies assets that are mission-critical for any organization and uncovers threats and vulnerabilities. However, it can be very complex to deploy and it solely quantifies from a qualitative methodology.\u201dThe flexibility of the methodology \u201callows teams from operations and IT to work together to address the security needs of the organization,\u201d Thomas says.COBITControl Objectives for Information and related Technology (COBIT), from ISACA, is a framework for IT management\u00a0and governance. It is designed to be business focused and defines a set of generic processes for the management of IT. Each process is defined together with process inputs and outputs, key activities, objectives, performance measures and an elementary maturity model.The latest version, COBIT\u00a02019, offers more implementation resources, practical guidance and insights, as well as comprehensive training opportunities, according to ISACA. It says implementation is now more flexible, enabling organizations to customize their governance via the framework.COBIT is a \u201chigh-level framework aligned to IT management processes and policy execution,\u201d says Ed Cabrera, chief cybersecurity officer at security software provider Trend Micro and former CISO of the United States Secret Service. \u201cThe challenge is that COBIT is costly and requires high knowledge and skill to implement.\u201dThe framework \u201cis the only model that addresses the governance and management of enterprise information and technology, which includes an emphasis [on] security and risk,\u201d Thomas says.\u00a0\u201cAlthough the primary intent of COBIT is not specifically in risk, it integrates multiple risk practices throughout the framework and refers to multiple globally accepted risk frameworks.\u201dTARAThreat Assessment and Remediation Analysis (TARA) is an engineering methodology used to identify and assess cybersecurity vulnerabilities and deploy countermeasures to mitigate them, according to MITRE, a not-for-profit organization that works on research and development in technology domains including cybersecurity.The framework is part of a MITRE\u2019s portfolio of systems security engineering (SSE) practices. \u201cThe TARA assessment approach can be described as conjoined trade studies, where the first trade identifies and ranks attack vectors based on assessed risk, and the second identifies and selects countermeasures based on assessed utility and cost,\u201d the organization claims.Unique aspects of the methodology include use of catalog-stored mitigation mappings that preselect possible countermeasures for a given range of attack vectors, and the use of countermeasure strategies based on the level of risk tolerance.\u201cThis is a practical method to determine critical exposures while considering mitigations, and can augment formal risk methodologies\u201d\u00a0to include important information about attackers that can result in an improved risk profile, Thomas says.FAIRFactor Analysis of Information Risk (FAIR) is a taxonomy of the factors\u00a0that contribute to risk and how they affect each other. Developed by Jack Jones, former CISO of Nationwide Mutual Insurance, the framework is mainly concerned with establishing accurate probabilities for the frequency and magnitude of data loss\u00a0events.FAIR is not a methodology for performing an enterprise or individual risk assessment. But it provides a way for organizations to understand, analyze, and measure information risk. The framework\u2019s components include a taxonomy for information risk, standardized nomenclature for information-risk terms, a method for establishing data-collection criteria, measurement scales for risk factors, a computational engine for calculating risk, and a model for analyzing complex risk scenarios.FAIR \u201cis one of the only methodologies that provides a solid quantitative model for information security and operational risk,\u201d Thomas says.\u00a0\u201cThis pragmatic approach to risks provides a solid foundation to assessing risks in any enterprise.\u201d However, while FAIR provides a comprehensive definition of threat, vulnerability, and risk, \u201cit\u2019s not well documented, making it difficult to implement,\u201d he says.The model differs from other risk frameworks \u201cin that the focus is on quantifying risks into actual dollars, as opposed to the traditional \u2018high, medium, low\u2019 scoring of others,\u201d Retrum says. \u201cThis is gaining traction with senior leaders and board members, enabling a more thoughtful business discussion by better quantifying risks in a meaningful way.\u201dEditor's note: This article, originally published May 3, 2010, has been updated with current information.