Over time, the information security/risk management profession has developed a variety of methods for assessing risk within an organization. These methods often reflect the conditions and objectives of the organization being assessed (as understood by the assessor), the prevailing practices within the profession at the time, the experience and knowledge level of the assessor(s), as well as any bias or agenda the  assessor(s) might bring to the table. Another important factor that has often played a role is the definition of “risk” as used within the methodology. As a result of these variables, risk assessment results have varied widely in terms of consistency, accuracy, and utility to management. This  Guide seeks to identify and articulate the characteristics that make up effective risk assessment methodologies, thus providing a standard set of guidelines for risk assessment methodologies