How can a company measure risk and security levels?

Your answer was selected as a Good Answer
Your Public Answer:
“Hi ..., I have just answered a similar question. Every industry has a specific risk level definition. There are several frameworks to manage and measure risk. Once risk is measured, the controls are applied accordingly. It is not like a predefined black book of Security levels that dictate security controls in most of the risk systems. These levels are relative so the safeguards are not expected to be the same. For risk management options check FRAP, FIRM, OCTAVE, DRAM, CRAMM, NIST 800-30, ISO 27005 , ISACA are the initial ones that come to mind as a framework. The most suitable ones would be based on your environment, operation and resources.Check the following URL: http://www-t.zhwin.ch/ui/swp/documents/risk_assessment_approaches_f_136894.pdf For measurement and metrics: I do recommend following the ISO 27004 framework for Information Security measurement and metrics. ISO 27004 is still in draft, you can also use a British Standards Institute document (BSI) BIP0074. ISO requires an well defined processes and Information Security Management System (ISMS). This duo will ease your job to measure the effectiveness of information security. Let me know if you have a specific question, regards, - yinal ozkan”