A variant of the approach is used by the UK government's HMG Infosec Standard No.1 technical risk-assessment method.
It is a model-based approach to information assurance that describes the requirements for security in an organisation, taking account of the business that needs to be supported.
The model is based around the concept of a security domain, which represents a logical place where people work with information using a computer system, and which has connections with other security domains where this is necessary to support business activity.
[4] The modelling technique was applied to some major projects for the MOD and as a result of this experience the graphical modelling techniques were revised and a rigorous risk assessment method, based on the concepts of compromise paths, was developed.
[8] This model forms the basis for conducting a systematic and rigorous risk assessment.
The key factors determining the risk to a particular focus of interest are: This risk framework is applied in a systematic fashion to an organisation-specific Infosec architecture model, representing the security-relevant features of an organisation's business and IT systems.
Through this process, a set of Compromise Paths can be systematically described and the relative effectiveness of different countermeasures can be assessed .