The NIST Generic Risk Model

NIST Generic Risk Model

Generic Risk Model with Key Risk Factors (NIST SP 800-30 R1)

Key Risk Factors


Risk is a function of the likelihood of a threat event’s occurrence and potential adverse impact should the event occur.


In assessing likelihoods, organizations examine vulnerabilities that threat events could exploit and also the mission/business function susceptibility to events for which no security controls or viable implementations of security controls exist (e.g., due to functional dependencies, particularly external dependencies).


The level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Risk Model

Risk models differ in the degree of detail and complexity with which threat events are identified. When threat events are identified with great specificity, threat scenarios can be modeled, developed, and analyzed.


Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Threat events are caused by threat sources.

Threat Source

The intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability. Synonymous with threat agent.

Threat Actor

An individual or a group posing a threat.

Threat Event

An event or situation that has the potential for causing undesirable consequences or impact.


A bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability

NIST Special Publication 800-39 provides guidance on vulnerabilities at all three tiers in the risk management hierarchy and the potential adverse impact that can occur if threats exploit such vulnerabilities.

Threat Scenario

In general, risks materialize as a result of a series of threat events, each of which takes advantage of one or more vulnerabilities. Organizations define threat scenarios to describe how the events caused by a threat source can contribute to or cause harm. Development of threat scenarios is analytically useful, since some vulnerabilities may not be exposed to exploitation unless and until other vulnerabilities have been exploited.

A threat scenario tells a story, and hence is useful for risk communication as well as for analysis.

Predisposing Condition

A predisposing condition is a condition that exists within an organization, a mission or business process, enterprise architecture, information system, or environment of operation, which affects (i.e., increases or decreases) the likelihood that threat events, once initiated, result in adverse impacts to organizational operations and assets, individuals, other organizations, or the Nation.

The concept of predisposing condition is also related to the term susceptibility or exposure. Organizations are not susceptible to risk (or exposed to risk) if a threat cannot exploit a vulnerability to cause adverse impact. For example, organizations that do not employ database management systems are not vulnerable to the threat of SQL injections and therefore, are not susceptible to such risk.



Decision made by an authorized holder of official information that a prospective recipient requires access to specific official information to carry out official duties.

Least privilege

A security principle that restricts the access privileges of authorized personnel (e.g., program execution privileges, file modification privileges) to the minimum necessary to perform their jobs.

Separation of Duty (SOD)

A security principle that divides critical functions among different staff members in an attempt to ensure that no one individual has enough information or access privilege to perpetrate damaging fraud.

Dual control

A process that uses two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. No single entity is able to access or use the materials, e.g., cryptographic keys.

Split knowledge

A process by which a cryptographic key is split into n key components, each of which provides no knowledge of the original key. The components can be subsequently combined to recreate the original cryptographic key. If knowledge of k (where k is less than or equal to n) components is required to construct the original key, then knowledge of any k – 1 key components provides no information about the original key other than, possibly, its length. Note that in this Recommendation, split knowledge is not intended to cover key shares, such as those used in threshold or multi-party signatures.


The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data.



3 thoughts on “The NIST Generic Risk Model

  1. Pingback: CISSP PRACTICE QUESTIONS – 20190831 by Wentz Wu, CISSP/CISM/PMP

  2. Pingback: What’s the difference between Threat and Risk? by Wentz Wu, CISSP/CISM/PMP

  3. Pingback: NIST通用風險模型(The NIST Generic Risk Model) – Choson資安大小事

Leave a Reply