4.Risk Analysis Flashcards
Assessment Of Consequences
input
A list of identified relevant incident scenarios, including identification of threats, vulnerabilities, affected assets, consequences to assets and business processes.
Action
The business impact on the organization that can result from possible or actual information security incidents should be assessed, taking into account the consequences of a breach of information security such as loss of confidentiality, integrity or availability of the assets.
Implementation guidance
After identifying all assets under review, values assigned to these assets should be taken into account while assessing the consequences.
A business impact concept is used to measure consequences. The business impact value can be expressed in qualitative and quantitative
Output
A list of assessed consequences of an incident scenario expressed with respect to assets and impact criteria.
Assessment Of Likelihood
input
A list of identified relevant incident scenarios, including identification of threats, affected assets, exploited vulnerabilities and consequences to assets and business processes. Also, lists of all existing and planned controls, their effectiveness, implementation and usage status.
Action
The likelihood of the incident scenarios should be assessed.
Implementation guidance
After identifying the incident scenarios, it is necessary to assess the likelihood of each scenario and impact occurring, using qualitative or quantitative analysis techniques. This should take account of how often the threats occur and how easily the vulnerabilities can be exploited
Output
Likelihood of incident scenarios (quantitative or qualitative).
Level Of Risk Determination
Input
A list of incident scenarios with their consequences related to assets and business processes and their likelihood (quantitative or qualitative).
Action
The level of risk should be determined for all relevant incident scenarios.
Implementation guidance
Risk analysis assigns values to the likelihood and the consequences of a risk. These values can be quantitative or qualitative. Risk analysis is based on assessed consequences and likelihood.
Additionally, it can consider cost benefit, the concerns of stakeholders, and other variables, as appropriate for risk evaluation. The estimated risk is a combination of the likelihood of an incident scenario and its consequences.
Output
A list of risks with value levels assigned.