A risk-based formula for security testing


  • 06/2021
Will Jardine and Tinus Green

Security Consultants

Common approaches to security testing are led by volume, i.e., how many systems can we test within budget and how many vulnerabilities can we find?

But attackers targeting your organization are goal-oriented, focused only on the attack vectors that will enable them to reach a specific objective. A new formula for testing is needed to address threats in the real world. Organizations can tune their security testing program towards the risks posed by cyber attacks without losing momentum—in fact, speed and efficiency become natural by-products.

This paper is an introduction to risk-prioritized testing, which is our methodology for that fine tuning. Designed to reveal your most critical assets so you can build preventative controls in those areas specifically, it’s relevant for any organization. The paper is broken into 2 phases—discovery and enumeration and goal-defined testing—explaining step-by-step how your security team can deliver the exercise internally.

This paper is designed to help you adopt risk-based prioritization as an approach to your testing. It covers:

  • How to gather context on the assets in your estate and apply a risk rating to indicate testing urgency
  • How to identify the best testing approaches and build effective test cases
  • What to do with the outcomes of the exercise
  • How this approach impacts your operational resilience

Get the paper