Mega-projects (sometimes also called "major programs") are extremely large-scale investment projects, typically costing more than US$1 billion per project. They include bridges, tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal flood protection, oil and natural gas extraction projects, public buildings, information technology systems, aerospace projects, and defense systems. Mega-projects have been shown to be particularly risky in terms of finance, safety, and social and environmental impacts.
In project management, risk assessment is an integral part of the risk management plan, studying the probability, the impact, and the effect of every known risk on the project, as well as the corrective action to take should an incident implied by a risk occur. Of special consideration in this area are the relevant codes of practice that are enforced in the specific jurisdiction. Understanding the regime of regulations that risk management must abide by is integral to formulating safe and compliant risk assessment practices.
One important difference in risk assessments in information security is modifying the threat model to account for the fact that any adversarial system connected to the Internet has access to threaten any other connected system. Risk assessments may therefore need to be modified to account for the threats from all adversaries, instead of just those with reasonable access as is done in other fields.
Another notable difference is the strategic nature of IT risk assessments. Unlike tactical vulnerability assessments and penetration testing which aim to identify and close specific gaps in security, IT risk assessments are functional at the executive level to examine the broader picture of IT risk management