Faced with the need to deliver risk ratings for your organization, you will have to substitute the organizationâ€™s risk preferences for your own. For, indeed, it is the organizationâ€™s risk tolerance that the assessment is trying to achieve, not each assessorâ€™s personal risk preferences.
What is the risk posture for each particular system as it contributes to the overall risk posture of the organization?
How does each attack surface â€“ its protections if any, in the presence (or absence) of active threat agents and their capabilities, methods, and goals through each situationâ€”add up to a systemâ€™s particular risk posture?
In addition, how do all the systemsâ€™ risks sum up to an organizationâ€™s computer security risk posture?