Carnegie Mellon University cmu-wordmark

Introduction to the OCTAVE Approach

SEI Report
By
In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.
Publisher

Software Engineering Institute

Topic or Tag

Abstract

This document describes the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), an approach for managing information security risks. It presents an overview of the OCTAVE approach and briefly describes two OCTAVE-consistent methods developed at the Software Engineering Institute (SEI).

The overall approach embodied in OCTAVE is described first, followed by a general description of the two methods: the OCTAVE Method for large organizations and OCTAVE-S1 for small organizations. Information is provided to assist the reader in differentiating between the two methods, including characteristics defining the target organization for each method as well as any constraints and limitations of each method. A series of questions is also provided to help readers determine which method is best for them. Readers are then directed to the appropriate Web site to download the method of their choice.

It should be noted that some organizations may need a hybrid or a combination of the two methods, or a completely different version of OCTAVE. A final chapter discusses some of the possible alternate versions.

SHARE
Download PDF
Part of a Collection

OCTAVE-Related Assets
Cite This SEI Report

Alberts, C., Dorofee, A., Stevens, J., & Woody, D. (2003, August 1). Introduction to the OCTAVE Approach. Retrieved June 21, 2026, from https://www.sei.cmu.edu/library/introduction-to-the-octave-approach/.

@techreport{alberts_2003,
author={Alberts, Christopher and Dorofee, Audrey and Stevens, James and Woody, Dr. Carol},
title={Introduction to the OCTAVE Approach},
month={Aug},
year={2003},
institution={Software Engineering Institute, Carnegie Mellon University},
url={https://www.sei.cmu.edu/library/introduction-to-the-octave-approach/},
note={Accessed: 2026-Jun-21}
}

Alberts, Christopher, Audrey Dorofee, James Stevens, and Dr. Carol Woody. "Introduction to the OCTAVE Approach." Software Engineering Institute, Carnegie Mellon University. Software Engineering Institute, August 1, 2003. https://www.sei.cmu.edu/library/introduction-to-the-octave-approach/.

C. Alberts, A. Dorofee, J. Stevens, and D. Woody, "Introduction to the OCTAVE Approach," Software Engineering Institute, Carnegie Mellon University. Software Engineering Institute, 1-Aug-2003 [Online]. Available: https://www.sei.cmu.edu/library/introduction-to-the-octave-approach/. [Accessed: 21-Jun-2026].

Alberts, Christopher, Audrey Dorofee, James Stevens, and Dr. Carol Woody. "Introduction to the OCTAVE Approach." Software Engineering Institute, Carnegie Mellon University, Software Engineering Institute, 1 Aug. 2003. https://www.sei.cmu.edu/library/introduction-to-the-octave-approach/. Accessed 21 Jun. 2026.

Alberts, Christopher; Dorofee, Audrey; Stevens, James; & Woody, Dr. Carol. Introduction to the OCTAVE Approach. Software Engineering Institute. 2003. https://www.sei.cmu.edu/library/introduction-to-the-octave-approach/

Ask a question about this SEI Report