COBRA or Consultative, Objective and Bi-functional Risk Analysis, consists of a range of risk analysis, consultative and security review tools. These were developed largely in recognition of the changing nature of IT and security, and the demands placed by business upon these areas. The first such undercurrent of change was the growing acceptance that IT security was a business issue. It was, and is, becoming largely expected that security reviews should be business related, with cost justified solutions and recommendations. Another issue is organizations’ desire for more visible return on their security budgets. To achieve this, many adopt new approaches to the traditional constraints of lack of expertise, time, and finance.

Often, a formal risk analysis technique is employed. However, conventional methods and tools simply do not address the new demands placed by business management. Some go part of the way, but tend to introduce their own drawbacks and difficulties. COBRA, and its default methodology, evolved very much to tackle these issues properly. It was developed in full co-operation with one of the world’s major financial institutions and followed many years of research.

It was recognized that business users should be involved from the outset. This carries a number of advantages, and shapes the entire review. In addition, a number of other radical departures were called for. The result was a risk analysis methodology and tool that will meet the most stringent of requirements, fully satisfying the changing demands placed upon the security or audit team. This site will outline the main features of COBRA, as well as providing some background into security risk analysis itself.