Skip to content Skip to footer

Reworking the Taxonomy for Richer Risk Assessments, by Ernie Hayden

Reworking the Taxonomy for Richer Risk Assessments

by Ernie Hayden

By accommodating unique requirements and conditions at different sites, security pros can dig deeper get a clearer sense of organizational risk.

For many years, I have been performing risk assessments of multiple large facilities. These risk assessments have ranged from major power plants to large substations to oil/gas pipelines to oil sands facilities to multistory office buildings. One thing I began to realize over the years is that each risk assessment had its own nuances; however, the approach I took was generally the same making it a richer risk assessment.

The assessments are generally conducted following three phases: pre-assessment/planning, on-site risk assessment, and reporting.


With pre-assessment and planning, you need to think about the desired outcome (i.e., identify the risks to the facility) and identify the necessary actions to mitigate or eliminate the risks and associated vulnerabilities.

On-site Activities

Now comes the fun part: Getting on-site and looking for threats and vulnerabilities.

Don’t forget these threats and vulnerabilities can be cyber or physical. They can also be part of the site management and culture. What about training or lack thereof? They can all contribute to the risk profile of the facility.


Just like the phrase says, the work isn’t complete until the paperwork is done! In fact, this is very important in order to help your customer — that is the manager of the facility you just inspected — to understand their threat profile, understand what they need to fix, and understand what needs to be mitigated first (that is, categorized risks).

Read the full article at Dark Reading,

Ernie Hayden, MIPM, CISSP, CEH, GICSP(Gold), PSP is a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information.

Ernie is author of the new book, Critical Infrastructure Risk Assessment: The Definitive Threat Identification and Threat Reduction Handbook.critical-nfrastructure-risk-assessment-rothstein-publishing

Rothstein Publishing Logo

Stay in touch with Our Updates

We don’t spam!