The methodology of OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is developed at the American university of
Carnegie-Melon and assessment of critical threats, assets and vulnerabilities means.
The methodology of OCTAVE is used widely around the world at performance of works according to information risks and to introduction of risk management
processes in the organization. This technique has a number of the modifications calculated on the organization of the different size and sphere of activity.
The essence methodology of OCTAVE is that for risks assessment the sequence of appropriately organized internal seminars (workshops) is
used. Risks assessment is performed in three stages to which a set of the preparatory activities including coordination of the schedule of seminars,
purposes of roles, planning, coordination of actions of participants of a project team precedes.
At the first stage, during the practical seminars, development of profiles of the threats including inventory and value assessment of
assets, identification of applicable requirements of the legislation and regulatory base, identification of threats and assessment of their probability and
also determination of a system of organizational measures for maintenance of the mode of information security is performed.
At the second stage the technical analysis of vulnerabilities of information systems of the organization concerning threats whose profiles
were developed at the previous stage which includes identification of the available vulnerabilities of information systems of the organization and
assessment of their size is made.
At the third stage assessment and processing of risks of information security including determination of size and probability of
damnification as a result of implementation of threats to security with use of vulnerabilities which were identified at the previous stages, determination
of strategy of protection and also the choice of options and decision making on processing of risks is made. The size of risk is defined as the average
size of annual losses of the organization as a result of realization of threats to security.