General Risk Management Model:
Step 1: Asset Identification
Identify and classify the assets, systems, and processes that need protection because they are vulnerable to threats.
Step 2: Threat Assessment
After identifying assets, you identify both the threats and the vulnerabilities associated with each assets and the likelihood of their occurrence. All things have vulnerabilities; one of the key is to examine exploitable vulnerabilities. To list: CWE (from mitre.org), SANS Top 25 list, OWASP Top 10 list..
Step 3: Impact Determination and Quantification:
An impact is the loss created when a threat is realized and exploits a vulnerability. Tangible impact results in financial loss or physical damage. An intangible impact, such as impact on the reputation of a company, assigning a financial value can be difficult.
Step 4: Control Design and Evaluation:
Software Engineering Institute Model:
Examine the system, enumerating potential risks.
Convert the risk data gathered into information that can be used to make decisions. Evaluate the impact, probability, and timeframe of the risk. Classify and prioritize each of the risks.
Review and evaluate the risks and decide what actions to take to mitigate them. Implement the plan.
Monitor the risks and the mitigation plans. Review periodically to measure progress and identify new risks.
Make corrections for deviations from risk mitigation plans. Changes in business procedures may require adjustments in plans or actions, as do faulty plans and risks that become problems.