How to use the RACI matrix for a security risk assessment

Is it worthwhile to use the RACI matrix to assess human-related risks in an information security risk assessment?

    Requires Free Membership to View

Ask the expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

The RACI matrix (also known as a responsibility assignment matrix) is definitely worthwhile to utilize in any risk assessment, including the evaluation of human-related risks. It was designed to determine roles and relationships within any type of project or process, which allows for an incredible amount of flexibility. A RACI matrix can easily be used as a management tool because it provides the ability to assign subtasks of the risk assessment to various information security team members.

For those who are not familiar with the term "RACI," it is derived from the roles defined in the matrix: responsible, accountable, consulted and informed. An example RACI matrix for assessing a human-related risk for the category "password policy" would look like this:






Password Policy



Executives, Legal


In the example, the responsibilities for the password policy become clear when put into the RACI matrix. The employees represent the risk for the password policy category. The CISO is responsible for mitigating that risk while also gathering input from other executives and legal staff. Auditors must be kept appraised of progress made to mitigate the risk. This process repeats with the next category of risk and continues until all of the potential risks have been identified, with the final product being a concise, easy-to-understand chart representing the human risks and mitigations in place.

This was first published in January 2014

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: