search menu icon-carat-right cmu-wordmark

Introduction to the OCTAVE Approach

User's Guide
In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.

Software Engineering Institute


This document describes the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), an approach for managing information security risks. It presents an overview of the OCTAVE approach and briefly describes two OCTAVE-consistent methods developed at the Software Engineering Institute (SEI).

The overall approach embodied in OCTAVE is described first, followed by a general description of the two methods: the OCTAVE Method for large organizations and OCTAVE-S1 for small organizations. Information is provided to assist the reader in differentiating between the two methods, including characteristics defining the target organization for each method as well as any constraints and limitations of each method. A series of questions is also provided to help readers determine which method is best for them. Readers are then directed to the appropriate Web site to download the method of their choice.

It should be noted that some organizations may need a hybrid or a combination of the two methods, or a completely different version of OCTAVE. A final chapter discusses some of the possible alternate versions.