Tailoring Risk Management Practice
In the 1990s, SEI risk research produced standards for software risk management, enabling program managers in all types of software-intensive programs to do a better job of identifying what could go wrong and mitigating the worst of those risks.
In 1996, the SEI published the Continuous Risk Management Guidebook, which brought together several concepts developed through its work with DoD agencies and Service branches in the preceding years. This approach had widespread influence. A Cutter Consortium's report a few years later, The State of Risk Management 2002, revealed that 21% of respondents to a survey about risk management techniques said that they used SEI standards for risk management. Only ISO ranked higher, with 36% of respondents.
In the decades since it was published the guidebook, the SEI has continued to conduct research and development in various aspects of risk management. In 1998, the SEI's CERT researchers began developing a new approach for managing cybersecurity risks within an organization, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE). OCTAVE was transitioned and continues to be a widely used information security risk assessment method.
Other SEI-developed applications of risk management principles include the COTS Usage Risk Evaluation (CURE), the widely used Architecture Tradeoff Analysis Method (ATAM), and the Mission Risk Diagnostic (MRD), which assesses risk in interactively complex, socio-technical systems across the lifecycle and supply chain.
Much of the SEI's risk management work today is focused on software assurance. SEI researchers are developing the Security Engineering Risk Analysis (SERA) method, a systematic risk-based method for building security into software-reliant systems rather than deferring security to later lifecycle activities such as operations.