ETSI TR 104 117 V1.1.1 (2025-12)

TECHNICAL REPORT
Cyber Security (CYBER);
Risk Management Ecosystem
2 ETSI TR 104 117 V1.1.1 (2025-12)

Reference
DTR/CYBER-00141
Keywords
cybersecurity, risk management
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
3 ETSI TR 104 117 V1.1.1 (2025-12)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Introduction . 4
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definition of terms, symbols and abbreviations . 10
3.1 Terms . 10
3.2 Symbols . 10
3.3 Abbreviations . 10
4 History . 11
4.1 Timeline of risk management . 11
4.2 Early period 1940 - 1995 . 11
4.3 Contemporary period after 1995 . 13
4.4 Emerging trends: software assurance and expansion of venues . 15
5 Risk management ecosystem . 16
5.0 The ecosystem ontology . 16
5.1 Core Risk management process standards . 16
5.2 Risk management derivative standards clusters . 18
5.2.1 International standards . 18
5.2.2 National standards . 20
5.2.3 Industry sector guidelines . 22
5.2.4 Implementation tools market . 22
5.2.5 Legal obligations . 22
Annex A: Bibliography . 24
History . 25

ETSI
4 ETSI TR 104 117 V1.1.1 (2025-12)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
ICT Risk Management systems have existed since their inception in various forms of telecommunication and
computational systems over the centuries as a means of achieving sufficient levels of security or resilience against
threats and vulnerabilities.
The risk management ecosystem basically consists of sets of tools or processes that allow an assessment of security or
resilience sufficiency for a particular device or system in a particular context followed by the application of corrective
measures.
After the digital network technology evolved significantly in 1964 to bring about merger of telecommunication and
computer systems, risk management initiatives almost immediately emerged within the U.S. Federal government as sets
of processes. As increasingly complex, open, and autonomous ICT infrastructures and products emerged over the
decades, a continuing series of risk management initiatives and tools were developed. After 2010, the threats and
complexities increased significantly and resulted in major risk management efforts worldwide. Recently, risk
management has been manifested as DevSecOps to encompass the complex risk management iterative cycles of
software/product development, operational use, threat discovery, and remediation. After 2020, the European Union
integrated risk management into multiple legislative instruments and the activities of EU bodies.
ETSI
5 ETSI TR 104 117 V1.1.1 (2025-12)
Although cyber risk management largely emerged in the USA Federal government, it spread in cycles to all enterprises
and worldwide. As the recent seminal SIPRI study on comparative cyber risk management concludes:
• China, Russia, the USA and the EU exhibit a number of terminological and regulatory similarities, but also
differences that merit greater exploration for their impacts on cyber risk reduction.
• While their systems of governance differ, China, the USA and the EU each demonstrate cases of interagency
and public–private sector coordination in establishing and implementing their regulatory frameworks in
cyberspace. However, they each face challenges when it comes to jurisdictional overlap and clarity of roles,
which creates tensions and a need to deconflict these cyber risk reduction initiatives. Among their similarities,
China, Russia, the USA and the EU are all integrating regulatory measures to secure their supply chains by
vetting, limiting or even prohibiting foreign hardware and software, while seeking to mitigate potential misuse
of CII, and personal and government data. Furthermore, all four actors are at varying stages of integrating
liability and penalties for non-compliance into their evolving regulations [i.42].

ETSI
6 ETSI TR 104 117 V1.1.1 (2025-12)
1 Scope
The present document provides an overview of the history and facets of the risk management ecosystem. The overview
includes the history of this activity, the concepts and specifications that emerged, the diverse venues, use cases, and the
contemporary state-of-the-art mechanisms for meeting imposed obligations.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on
horizontal cybersecurity requirements for products with digital elements and amending
Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber
Resilience Act) (Text with EEA relevance).
[i.2] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on
measures for a high common level of cybersecurity across the Union, amending Regulation (EU)
No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2
Directive) (Text with EEA relevance).
[i.3] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022
on digital operational resilience for the financial sector and amending Regulations (EC)
No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
(Text with EEA relevance).
[i.4] European Commission: "Risk Management in the Commission, Implementation Guide".
[i.5] NIST: Risk Management History.
[i.6] National Bureau of Standards FIPS 31: "Guidelines for Automatic Data Processing Physical
Security and Risk Management (1974)".
[i.7] National Bureau of Standards: "FIPS 41, Computer Security Guidelines for Implementing the
Privacy Act of 1974 (1975)".
[i.8] National Bureau of Standards FIPS 65: "Guidelines for Automatic Data Processing Risk Analysis
(1979)".
[i.9] RAND: "Security Controls for Computer Systems", February 1970.
[i.10] GovernmentAttic: "Five (5) Defense Science Board (DSB) reports, 1974-1978".
[i.11] MITRE: "Proposed Technical Evaluation Criteria for Trusted Computer Systems." (Nibaldi
Report).
[i.12] Common Criteria for Information Technology Security Evaluation.
ETSI
7 ETSI TR 104 117 V1.1.1 (2025-12)
[i.13] RAND Corp: "RM-3420-PR, On Distributed Communications: Introduction to Distributed
Communication Networks", August 1964.
[i.14] AFIPS Proceedings: Bernard Peters: "Security considerations in a multi-programmed computer
system", April 1967.
[i.15] IEEE Computer Society, Lipner: "The Birth and Death of the Orange Book", 2015.
[i.16] National Computer Security Conferences (1979-2000).
[i.17] FAS: "NSA/NCSC Rainbow Series".
[i.18] NIST NISTIR 90-4262: "Secure Data Network System (SDNS) Key Management Documents",
1990.
[i.19] National Bureau of Standards FIPS 500-153: "Guide to Auditing for Controls and Security",
April 1988.
[i.20] NIST SP 800-12: "An Introduction to Computer Security", October 1995.
[i.21] NIST SP 800-12 Rev.1: "An Introduction to Information Security", June 2017.
[i.22] NIST SP 800-39: "Managing Information Security Risk", March 2011.
[i.23] NIST SP 800-160 Vol. 1: "Engineering Trustworthy Secure Systems", November. 2022.
[i.24] NIST SP 800-60 Rev.2: "Guide for Mapping Types of Information and Systems to Security
Categories", January 2024.
[i.25] NIST SP 800-53A Rev.5: "Assessing Security and Privacy Controls in Information Systems and
Organizations", January 2022.
[i.26] BlackDuck: "Security Risk Assessment Threat Modelling Best Practices.
[i.27] NIST SP800-37 Rev.2: "Risk Management Framework for Information Systems and
Organizations: A System Life Cycle Approach for Security and Privacy", December 2018.
[i.28] NIST SP800-137A: "Assessing Information Security Continuous Monitoring (ISCM) Programs:
Developing an ISCM Program Assessment", May 2020.
[i.29] ETSI TS 103 305-1: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 1: The Critical Security Controls".
[i.30] CIS: "Controls Mapping to NIST SP 800-53".
[i.31] ENISA: Risk Management Standards, March 2022.
[i.32] BSI DIN 27076: Cyber RisikoCheck, May 2023.
[i.33] CIS: Risk Assessment Method 2.0.
[i.34] NCSC: Risk Management, 2.0.
[i.35] ANSSI: EBIOS Risk Manager.
[i.36] NIST SP 800-218: "Secure Software Development Framework (SSDF) Version 1.1",
February 2022.
[i.37] NIST SP 1800-44A: "Secure Software Development Security, and Operations (DevSecOps)
Practices", July 2025.
[i.38] USDOD: "DevSecOps Continuous Authorization Implementation Guide," March 2024.
[i.39] OWASP: "The OWASP Risk Assessment Framework".
[i.40] U.S. Dept. of Defense: "DevSecOps Fundamentals Guidebook: DevSecOps Tools and Activities",
March 2021.
ETSI
8 ETSI TR 104 117 V1.1.1 (2025-12)
[i.41] NIST AI 100-1: "Artificial Intelligence Risk Management Framework", January 2023.
[i.42] SIPRI: "Cyber Risk Reduction in China, Russia, the United States and the European Union"
June 2024.
[i.43] Fair Institute: "FAIR Risk Management".
[i.44] USDOD: "DOD Instruction 8510.01, Risk Management Framework for DOD Systems",
July 2022.
[i.45] NIST: "NIST Risk Management Framework (RMF)".
[i.46] ReversingLabs: "Assess & Manage Commercial Software Risk".
[i.47] Wikipedia: "Risk Management Framework".
[i.48] ETSI TS 102 165-1: "Cyber Security (CYBER); Methods and protocols; Part 1: Method and pro
forma for Threat, Vulnerability, Risk Analysis (TVRA)".
[i.49] ETSI TR 103 937: "Cyber Security (CYBER); Cyber Resiliency and Supply Chain Management".
[i.50] centraleyes: "7 Best Cyber Risk Management Platforms of 2024".
[i.51] XM Cyber: "Continuous Threat Exposure Management (CTEM)".
[i.52] NTIA: "Cyber Risk Management (CSCRM)".
[i.53] Cyber Risk Institute: "Cyber Profile for the Financial Sector".
[i.54] Sedona Conference: "The Sedona Conference Commentary on a Reasonable Security Test", The
Sedona Conference Journal, Vol 22, 2021.
[i.55] NIST: "Software Security in Supply Chains: Software Bill of Materials (SBOM)", November
2024.
[i.56] Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on
ENISA (the European Union Agency for Cybersecurity) and on information and communications
technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity
Act) (Text with EEA relevance).
[i.57] Consolidated text: Commission Implementing Regulation (EU) 2024/482 of 31 January 2024
laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and
of the Council as regards the adoption of the European Common Criteria-based cybersecurity
certification scheme (EUCC) (Text with EEA relevance).
[i.58] ENISA: "Cyber Resilience Act implementation via EUCC and its applicable technical elements".
[i.59] CEN/CENELEC: "A Risk-Based Approach to Sectoral Cybersecurity: Introducing EN
18037:2025", 16 April 2025.
[i.60] NSA: "The 60 Minute Network Security Guide (First Steps Towards a Secure Network
Environment", 16 October 2001.
[i.61] NSA: "Guide to Securing Microsoft Windows 2000 Group Policy: Security Configuration Tool
Set", May 2001.
[i.62] ETSI TR 103 305-4: "Cyber Security (CYBER); Critical Security Controls for Effective Cyber
Defence; Part 4: Facilitation Mechanisms".
[i.63] Commission Delegated Regulation (EU) 2022/30 of 29 October 2021 supplementing Directive
2014/53/EU of the European Parliament and of the Council with regard to the application of the
essential requirements referred to in Article 3(3), points (d), (e) and (f), of that Directive (Text
with EEA relevance).
[i.64] ETSI TR 104 034: "Cyber Security (CYBER); Software Bill of Materials (SBOM) Compendium".
ETSI
9 ETSI TR 104 117 V1.1.1 (2025-12)
[i.65] ISO/IEC 27005:2022: "Information security, cybersecurity and privacy protection — Guidance on
managing information security risks".
[i.66] ISO/IEC 31000:2018: "Risk management — Guidelines".
[i.67] NIST SP 800-128: "Guide for Security-Focused Configuration Management of Information
Systems," October 2019.
[i.68] NIST SP 800-61 Rev.3: "Incident Response Recommendations and Considerations for
Cybersecurity Risk Management", April 2025.
[i.69] NIST SP 800-34 Rev.1: "Contingency Planning Guide for Federal Information Systems",
March 2023.
[i.70] NSA/CSS: "Cybersecurity Advisories & Guidance".
[i.71] ENISA: "Risk Management".
[i.72] ENISA: "Compendium of Risk Management Frameworks with Potential Interoperability",
January 2022.
[i.73] ENISA: "Interoperable EU Risk Management Framework", January 2023.
[i.74] ENISA: "Interoperable EU Risk Management Toolbox", February 2023.
[i.75] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on
electronic identification and trust services for electronic transactions in the internal market and
repealing Directive 1999/93/EC.
[i.76] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
(Text with EEA relevance).
[i.77] BSI TR-03183-2: "Cyber Resilience Requirements for Manufacturers and Products; Software Bill
of Materials (SBOM)", October 2024.
[i.78] Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for
the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as
regards the adoption of the European Common Criteria-based cybersecurity certification scheme
(EUCC).
[i.79] US DOD: "Chief Information Officer Library".
[i.80] NIST SP 800-161 Rev.1 Upd.1: "Cybersecurity Supply Chain Risk Management Practices for
Systems and Organizations", January 2024.
[i.81] CISA: "National Risk Management Center Cybersecurity Division".
[i.82] CISA: "Guide to Getting Started with a Cybersecurity Risk Assessment", 2022.
[i.83] CISA: "SBOM Resources Library".
[i.84] NIST SP 1305: "NIST Cybersecurity Framework 2.0: Quick-Start Guide for Cybersecurity Supply
Chain Risk Management (C-SCRM)", February 2024.
[i.85] CISA: "A Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management",
2023.
[i.86] NIST NISTIR 8376: "Key Practices in Cyber Supply Chain Risk Management: Observations from
Industry", February 2021.
[i.87] NSA: "Securing the Software Supply Chain: Recommended Practices Guide for Customers",
October 2022.
ETSI
10 ETSI TR 104 117 V1.1.1 (2025-12)
[i.88] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying
down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008,
(EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and
Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text
with EEA relevance).
3 Definition of terms, symbols and abbreviations
3.1 Terms
For the purposes of the present document, the following terms apply:
risk: any event or issue that could occur and adversely impact the achievement of an organisation's operational or
strategic objective
risk management: continuous, proactive and systematic process of identifying, assessing and managing risks in line
with the accepted risk levels, carried out at every level of an organisation to provide reasonable assurance
EXAMPLE: Making more reasoned decisions (justifying why certain decisions were taken, what risk factors
were considered, etc.); improving efficiency (aligning risk levels and resource and control system
allocations); reinforcing the reliability of management systems (ensuring key risks have been taken
into consideration and that internal control systems have been adequately reinforced) [i.4].
threat surface: total scope of potential threats that could exploit vulnerabilities within a system or network
NOTE: The SIPRI report on comparative cyber risk management regimes provides a use juxtaposition of
terminology [i.42].
3.2 Symbols
Void.
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AFIPS American Federation of Information Processing Societies
AI Artificial Intelligence
ANSSI Agence nationale de la sécurité des systèmes d'information (FR)
ATO Authorization To Operate
BSI Bundesamt für Sicherheit in der Informationstechnik (DE)
CAS Controls Assessment Specification
cATO Continuous Authorization To Operate
CBOM Cybersecurity Bill of Materials
CSCRM Cyber Security Risk Management
CSS Central Security Service
DAST Dynamic Application Security Testing
DSB Defense Science Board (US)
EBIOS Expression des Besoins et Identification des Objectifs de Sécurité
HBOM Hardware Bill of Materials
NBS National Bureau of Standards (US)
NCSC National Computer Security Conference (US)
NCSC National Cyber Security Centre (UK)
NIST National Institute for Standards and Technology (US)
NSA National Security Agency (US)
RAF Risk Assessment Framework
RAM Risk Assessment Method
RMF Risk Management Framework
ETSI
11 ETSI TR 104 117 V1.1.1 (2025-12)
SAST Static Application Security Testing
SBOM Software Bill of Materials
SDNS Secure Data Network System
SIPRI Stockholm International Peace Research Institute
SNAC Systems and Network Attack Center
4 History
4.1 Timeline of risk management
The long historical arc of risk management across the past 60 years together with highlights described in subsequent
clauses is depicted in Figure 4.1-1. The timeline depicts how risk and its management arose at outset of contemporary
cybersecurity with the integration of computer systems and digital networks, followed by recurrent initiatives that
increased significantly in scope and diversity after 2005 as the threat surfaces and adverse consequences expanded
significantly.
Figure 4.1-1: Risk Management Timeline
It is noted that risk management requires comprehensive risk identification and recent activity in the EU (see CRA [i.1],
NIS2 [i.2] and RED [i.63] as examples) require that provision of security measures is "risk based" therefore assumes
both risk management and risk identification actions are in place.
4.2 Early period 1940 - 1995
The earliest discussions of risk management in contemporary computer systems and networks appear to have ensued at
the RAND Corporation concurrently with its research staff conceptualising packet-based digital networks [i.13]. The
next six years witnessed significant studies between RAND and the NSA - resulting in a set of initial papers dealing
with risk management at the seminal April 1967 AFIPS [i.14] Atlantic City Conference The five basic tenets were set
by NSA's lead computer scientist, Bernard Peters, at the AFIPS Conference:
1) "security cannot be attained in the absolute sense;
2) every security system seeks to attain a probability of loss which is commensurate with the value returned by
the operation being secured;
ETSI
12 ETSI TR 104 117 V1.1.1 (2025-12)
3) for each activity which exposes private, valuable, or classified information to possible loss, it is necessary that
reasonable steps be taken to reduce the probability of loss;
4) any loss which might occur must be detected;
5) there are several minimum requirements to establish an adequate security level for the software of a large
multi-programmed system with remote terminals."
The AFIPS Conference was followed by an initial RAND Report to the Defense Science Board in 1970 and
underscored Peters basic tenets. That document - often referred to as the Willis Ware Report after its author - identified
a set of 29 inherent "computer network vulnerabilities" and set the stage for risk management activities that would
follow over subsequent decades [i.9]. The Board served at the time as means for industry collaboration among multiple
U.S. national security agencies on evolving risk management challenges [i.10].

Figure 4.2-1: Ware Computer Network Vulnerabilities [i.9]
In 1972, the US National Bureau of Standards (NBS) launched its Risk Management Program followed by its
publication in June 1974 of FIPS 31 guidelines on risk management for computer security [i.6]. FIPS 31 was very
comprehensive in addressing most of the identified Ware Report vulnerabilities - consisting of eleven different sets of
action ranging from physical security to supporting utilities to envisioning local disasters. It included the conduct of a
risk analysis consisting of an estimate of potential losses from different threats, estimating the probability of their
occurrence, and remedial measures.
FIPS 41 followed in 1975 and provided a greater level of structure and detailed standards for security risk assessments
and safeguard selection, physical security, information management practices, and systems security [i.7]. Security risk
assessment included five different categories:
1) accidents, errors, and omissions;
2) risks from uncontrolled system access;
3) risks from authorized users of personal data;
4) risks from the physical environment and from malicious destructive acts;
5) risks from deliberate penetrations.
The next cluster of developments occurred between 1978 and 1983 with the multiple initiatives and increasingly public
activities of NSA's National Computer Security Center (NCSC) related to risk management. It published sets of
technical reports, guides and standards for secure computer systems that subsequently became known as the Rainbow
Series [i.15]. The institution of the National Computer Security Conferences provided a means for broad industry
collaboration on risk management initiatives and challenges and vetting a significant number of seminal cybersecurity
developments which continue today [i.16].
ETSI
13 ETSI TR 104 117 V1.1.1 (2025-12)
Among these materials was Grace Hammonds Nibaldi's landmark work in 1979 at MITRE on technical evaluation of
trusted computer systems that became known as the Nibaldi Report [i.11]. She proposed a risk management schema
with specific measures consisting of six protection levels with the "residual risks" enumerated at every level. In this
period, NBS published further guidelines for risk analysis as FIPS 65 in late 1979 [i.8], followed by NSA's NCSC's
initial Orange Book [i.17]. The set represents perhaps the most exhaustive set of cybersecurity methods and standards
for computer system
...