Security has never been a goal (end) in itself; it comes as a need to make the business keep existing and growing. In that sense, the best security strategy does not consist in implementing the best security ever, but in determining how secure you need to be to serve the business, or in other words, reducing the risks to an acceptable level of security. But the determination of the risks and most of all, the appreciation of what is an acceptable level of security is far from easy. Different methods have been designed to guide in that delicate task: they are synonymously called Risk Assessment, Risk Management and Vulnerability Assessment. These methods are not specifically designed to help in choosing a firewall or any devices. they guide in the overall process of implementing security. It is nevertheless very beneficial to have recourse to these methods before making any important security investment.

Let's briefly describes three popular risk assessment methods:

The Site Security Handbook

The Site Security Handbook RFC 2196 provides general guidelines to develop security policies and procedures for all types of network infrastructures. It relies on five steps:
1. Identify what you are trying to protect.
2. Determine what you are trying to protect it from.
3. Determine how likely the threats are.
4. Implement measures which will protect your assets in a cost-effective manner.
5. Review the process continuously and make improvements each time a weakness is found

The OCTAVE-S Method

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) model: Developed by the Computer Emergency Response Team at Carnegie Mellon University, better known as CERT®/CC (CERT Coordination Center), this method is a self-directed information security risk evaluation which focuses on the key assets of the company and helps to identify the threat profile of the company and the infrastructure vulnerabilities. It also helps in defining the impact of such threats on the business as well as their probability to occur, and thus contribute to evaluate the security risks. Based on the full knowledge of these risks, the method guides in developing a security strategy that responds to the business objectives of the company. This method is principally designed for highly structured and large companies, however, small businesses have not been left aside; OCTAVE-S, which is based on the same principle, is a light edition designed to meet the security needs of small and medium companies. The efficiency of the method relies on the collaboration of 3 to 5 persons with broad knowledge of the organization’s business and security processes and from multiple organizational levels. Although this method can be self-directed, it is probably time saving to get trained by an OCTAVE qualified person. You can download the method here.

The Security Risk Management Guide

The Security Risk Management Guide developed by Microsoft provides a comprehensive approach for measuring and prioritize risk based on the financial impact of a threat and its likelihood (probability to occur). As OCTAVE Method, it is a self-directed method that requires the collaboration of a team from different services to discuss around the security assets. Excel Templates are provided to guide the discussion, but filling them requires a minimum of self-training. You can download the package here.