Risk Management as a Critical Element of Security Systems Engineering

calendar Mar 12, 2026 / · 2 min read · risk management information assurance security engineering FISMA cybersecurity threats and vulnerabilities security controls systems engineering  ·
Share on: linkedin copy

Risk Management as a Critical Element of Security Systems Engineering

Explain how Risk Management is a critical element to the Security Systems engineering. Also disucss how Risk Management is a critical component to the Security Systems engineering. Why is Risk Management a critical element of Security Systems engineering.

Defining Risk in Security Systems

Risk Management is a critical component of Security Systems engineering. To understand risk management, let's understand what risks are, vulnerabilities and threats are in relation to security systems. The combination of a threat combined with a vulnerability best defines risk within the realm of security as described by Bejtlich (2004).

Security is the process of keeping an acceptable level of risk and revolves around lowering risk factors. Security involves risk, threats, and vulnerabilities around an organization's assets as Bejtlich (2004) points out. A simple formula for risk is where risk equals threat x vulnerability x asset value. An asset is anything of value, which in the security context could refer to information, hardware, intellectual property, prestige, and reputation. A threat is a party with the skills and goals to exploit a vulnerability in an asset. A vulnerability is a weakness in an asset that could lead to exploitation. The asset value is a measurement of the time and resources needed to replace an asset or restore it to its former state.

Risk Management and the Security Engineering Framework

The management of organizational risk is a crucial element in the organization's Information Security program and provides a framework for selecting the appropriate security controls for an information system as observed by The Federal Information Security Management Act (FISMA) as Jacobs (2016) points out. A risk-based management approach is promoted for selecting and specifying security controls and advocates considering a control's effectiveness, efficiency, and constraints due to laws, directives, policies, standards, and regulations as described by Jacobs (2016).

Prioritizing Security Risk Through Risk Management

Risk management is a critical element of security system engineering because it assists the security risk task prioritization allowing the business and the security team to rank the security risks based on the value of the assets, vulnerabilities that are currently circulating and known threats to the business, business units or team member(s). Once ranked in risk order the security system engineering team can come up with a mitigation plan, implement the plan.

References

Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond Intrusion Detection. Addison-Wesley. ISBN 0-321-24677-2.

Jacobs, S. (2016). Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance (2nd ed.). Wiley. https://onlinelibrary.wiley.com/doi/book/10.1002/9781119104728

Posts in this series