It seems to me that self-assessment of risk is a difficult process to understand and execute, primarily because the employees who are asked to assess the risk in their business process, a) don’t really understand the notion of risk and b) don’t really care.  Let’s face it – risk is difficult to understand, since it is a function of many different, often-interdependent variables.
So the question I am going to pose today is:  What is the best way to do a risk assessment?
and the answer is: Start by asking the right questions.
Let’s say that you have the job to collect data for a risk assessment in your business unit. You sit down with the security and compliance manager and schedule meetings with people in the unit. You figure you’re going to be less than thrilled with the quality of information you receive and the employees may not be excited by your standard checklist questions. However, you know that whistleblowing is innate in all of us and it’s worth trying to get to first base.
Drop the compliance checklist and use an attack modeling approach instead.
Explain the notion of valuable company assets, vulnerabilities, threats that exploit vulnerabilities and security countermeasures. It will take a few minutes and every employee I’ve ever met will grok the concept immediately. For starters – ask 7 questions (you notice how all the process improvement methodologies always have 7 steps…)

1. What is the single most important asset in your job?
2. What do you think is the single biggest threat to that asset?
3. How do you think attackers cause damage to the asset?
4. Can you give me one example of a security exploit (on conditions of non-disclosure)?
5. If you could give the risk and compliance manager one suggestion, what would it be?
6. If you had to give the CEO one suggestion, what would it be?
7. If you had to give President Obama one suggestion on how to reduce the threat of global terror, what would it be?