Faced with the need to deliver risk ratings for your organization, you will have to substitute the organizations risk preferences for your own. For, indeed, it is the organizations risk tolerance that the assessment is trying to achieve, not each assessors personal risk preferences.
1. 1. What is the risk posture for each particular system as it contributes to the overall risk posture of the organization?
2. 2. How does each attack surface its protections if any, in the presence (or absence) of active threat agents and their capabilities, methods, and goals through each situationadd up to a systems particular risk posture?
3. 3. In addition, how do all the systems risks sum up to an organizations computer security risk posture?