Risk Assessment Methodology

Improving  Risk Assessments by Focusing on a Process Viewpoint


WCK EESA™ (end-to-end security risk assessment process) is an improved methodology for assessing and uncovering risks and vulnerabilities.

Traditionally, cyber security risk assessments  are focused on a set of systems or networks.

EESA™  is focused on the end to end process, and all the systems and networks that serve that process.  This viewpoint meets 2 critical needs that the classic network or system-oriented assessment does not support:

  • Understanding how technical assets discovered in specific systems, servers, or other technical components might affect seemingly unrelated business services or processes
  • Supporting the special needs and unique assets of critical infrastructures


The diagram below is a visual overview of the EESA™  risk evaluation process:


eesa risk evaluation overview


The Secret Ingredient: A  Risk Assessment Process Built around Assets and their Interdependencies


The EESA™ methodology is asset-based, which means that it analyzes any types of organizational asset and how it serves the business. An asset can be an IT or non-IT system, software or hardware, a business process, organizational unit, a building or a room, low level components such as devices, controllers, servers, etc. or almost anything.

One you have defined your assets, you need to understand the relationships between each asset and the others.

The asset-oriented  risk assessment model incorporates often neglected aspects of risk analysis that are essential in providing full coverage of the risks and vulnerabilities of an organization. These capabilities include:

  • Understanding  how risk cascades across the organization, by mapping and analyzing the interdependencies between assets
  • Performing smart aggregation and correlating risks from multiple sources around assets
  • Classifying assets based on granular business aspects such as finance, reputation, productivity, safety, etc. and being able to set priorities and filters based on these aspects


It is this process-oriented approach to risk methodology that ensures that the business and organizational impact of risks are analyzed, rather than just their severity.   The EESA™ methodology helps uncover hidden vulnerabilities and provides a comprehensive, end-to- end view of an organization’s risk, both vitally important needs in today’s cyber age.

EESA™ is the underlying IT risk assessment framework within the WCK software platform, and it provides customers with a  cost-effective risk assessment process that improves the security posture of the organization.


An Acknowledged Risk Assessment Process

EESA™  has been acknowledged by major international security bodies and selected as a leading risk assessment methodology by:

  1. The Assessment of Critical Infrastructure Protection (ACIP) project
  2. The Center for European Policy Studies (CEPS)
  3. And the European Network and Information Security Agency (ENISA)


Additional acknowledgements:
  • “EESA deals with Critical Information Infrastructure Protection (CIIP), analyzing “Security Quality of Service” (SQOS) along the path of critical processes within the business environment…”   [Source: Applied Technology Integration in Governmental Organizations, New E-Government Research. Book written by Vishanth Weerakkody, Igi Global page 159]


  • “The EESA (End To End Security Assessment) method focuses on the IT aspects of large distributed critical systems. By analyzing the information flow and the mechanisms of security services together with the risk analysis results…”  [Source: Computer Safety, Reliability, and Security: 25th International Conference. A book written BY Janusz Górs, Springer]


  • “The products used, often include software tools that address specific IT platforms, and lack the ‘overall‘ security assessment ability. Practical and business-related methodologies that can bridge this gap are required, such as the End to End Security Assessment model (EESA).”   [Sources: ACIP Report 6.1- Summary of the cross-connections, and an article about ACIP results, written by ENST (Ecole National Supreme de Telecom de Paris). Article]