The foundational step in a risk-based approach to cybersecurity is asset management, which begins with identifying and valuing assets. To categorize and prioritize systems for protection based on the sensitivity of their content (confidentiality, integrity, and availability), a security analyst must first determine the value of each asset. This valuation dictates the level of security controls required and guides all subsequent risk management activities, such as vulnerability scanning and control implementation. Without understanding the asset's value, it is impossible to appropriately prioritize security efforts or justify the cost of protective measures.

A. Interviewing users is a useful data-gathering step, but it does not establish the authoritative business value or impact, which is necessary for formal categorization.

B. Scanning for vulnerabilities is a subsequent step in risk assessment. The criticality of a vulnerability is determined by its potential impact on a valued asset.

C. Configuring alerts is a proactive security control. This action is typically performed after systems have been categorized and appropriate security baselines have been established.

1. National Institute of Standards and Technology (NIST) Special Publication 800-30

Revision 1

Guide for Conducting Risk Assessments. Section 2.2

"Conduct Assessment

" outlines the process which begins with identifying assets and their value to determine the impact of a loss of confidentiality

integrity

or availability. Specifically

Task 2-3

"Determine impact

" relies on the value of the system and data.

2. Federal Information Processing Standards (FIPS) Publication 199

Standards for Security Categorization of Federal Information and Information Systems. Section 3

"Security Categorization

" states

"The first step in the security categorization process is to identify the information types processed

stored

or transmitted by the information system." This process is directly tied to determining the value and sensitivity of the information asset to establish a security category.

3. Purdue University

Information Security Risk Management (CS 52600) Courseware. The risk management lifecycle taught in this program begins with "Asset Identification and Valuation

" establishing it as the prerequisite step before threat analysis or vulnerability assessment. This is a standard model in academic cybersecurity curricula.