This content is part of the Essential Guide: How to hone an effective vulnerability management program
Manage Learn to apply best practices and optimize your operations.

How to use the RACI matrix for a security risk assessment

Expert Joseph Granneman explains how the RACI matrix can be used as part of an information security risk assessment.

Is it worthwhile to use the RACI matrix to assess human-related risks in an information security risk assessme...


Ask the expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

The RACI matrix (also known as a responsibility assignment matrix) is definitely worthwhile to utilize in any risk assessment, including the evaluation of human-related risks. It was designed to determine roles and relationships within any type of project or process, which allows for an incredible amount of flexibility. A RACI matrix can easily be used as a management tool because it provides the ability to assign subtasks of the risk assessment to various information security team members.

For those who are not familiar with the term "RACI," it is derived from the roles defined in the matrix: responsible, accountable, consulted and informed. An example RACI matrix for assessing a human-related risk for the category "password policy" would look like this:






Password Policy



Executives, Legal


In the example, the responsibilities for the password policy become clear when put into the RACI matrix. The employees represent the risk for the password policy category. The CISO is responsible for mitigating that risk while also gathering input from other executives and legal staff. Auditors must be kept appraised of progress made to mitigate the risk. This process repeats with the next category of risk and continues until all of the potential risks have been identified, with the final product being a concise, easy-to-understand chart representing the human risks and mitigations in place.

This was last published in January 2014

Dig Deeper on Risk assessments, metrics and frameworks