Manage Learn to apply best practices and optimize your operations.
This article is part of our Essential Guide: How to hone an effective vulnerability management program

How to use the RACI matrix for a security risk assessment

Expert Joseph Granneman explains how the RACI matrix can be used as part of an information security risk assessment.

Is it worthwhile to use the RACI matrix to assess human-related risks in an information security risk assessme...


Ask the expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

The RACI matrix (also known as a responsibility assignment matrix) is definitely worthwhile to utilize in any risk assessment, including the evaluation of human-related risks. It was designed to determine roles and relationships within any type of project or process, which allows for an incredible amount of flexibility. A RACI matrix can easily be used as a management tool because it provides the ability to assign subtasks of the risk assessment to various information security team members.

For those who are not familiar with the term "RACI," it is derived from the roles defined in the matrix: responsible, accountable, consulted and informed. An example RACI matrix for assessing a human-related risk for the category "password policy" would look like this:






Password Policy



Executives, Legal


In the example, the responsibilities for the password policy become clear when put into the RACI matrix. The employees represent the risk for the password policy category. The CISO is responsible for mitigating that risk while also gathering input from other executives and legal staff. Auditors must be kept appraised of progress made to mitigate the risk. This process repeats with the next category of risk and continues until all of the potential risks have been identified, with the final product being a concise, easy-to-understand chart representing the human risks and mitigations in place.

This was last published in January 2014

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.