The OCTAVE-S methodology involves 3 phases to evaluate operational threats, assets, and vulnerabilities. Phase 1 involves building asset-based threat profiles by identifying impact criteria, important organizational assets, security practices, and defining threat profiles for critical assets. Phase 2 identifies infrastructure vulnerabilities by analyzing how people access critical assets and who maintains components. Phase 3 develops a security strategy and mitigation plans by identifying risks to critical assets and deciding on approaches to address the risks.