Task 2 -- General Risk Assessment Models Flashcards
A comprehensive risk assessment begins by identifying and placing some value (either absolute or relative) on the organization’s assets.
Conditions that tend to increase assets’ exposure to the risk of loss can be divided into these categories:
PHYSICAL, NONPHYSICAL, and LOGICAL
PHYSICAL; Includes factors such as the organization’s types and locations of facilities or campuses, its surroundings, the amount of pedestrian or vehicular traffic, the amount of nonemployee access needed for the organization to operate, the operational technology or industrial control systems needed for the organization to operate, and the sensitivity and criticality of on-site processes and assets.
NON-PHYSICAL; Includes factors such as the geo-political landscape; culture; industry pressures; legal, regulatory and compliance requirements; intensity of competition; organizational growth mode; speed of decision making; and willingness to adopt technology.
LOGICAL; Includes information and digital assets and the network or digital space that connects them to each other and to their users and stakeholders. Examples include network infrastructure, network connectivity, servers, workstations, and other network devices and endpoints.
Qualitative and Quantitative Methods
Qualitative analysis includes any approach that does not use numbers or numeric values to describe the risk components. Generally, comparative terms such as critical, high, medium, low, and negligible may be used to gauge the asset value and levels of risk components and risk itself. This is most suitable when evaluating basic security applications.
Qualitative analysis includes any approach that does not use numbers or numeric values to describe the risk components. Generally, comparative terms such as critical, high, medium, low, and negligible may be used to gauge the asset value and levels of risk components and risk itself. This is most suitable when evaluating basic security applications.
Quantitative analysis includes any approach that uses numeric measures to describe the value of assets or the level (severity or probability) of threats, vulnerabilities, impact, or loss events. It can vary from simple scale ratings (e.g., 1 to 5) to sophisticated statistical methods and mathematical formulas. This method is used to measure the effectiveness of a physical protection system whose primary functions are to detect, delay, and respond.
Many executive decision makers prefer information to be summarized in charts and graphs, which can display a great deal of data in a concise manner. This is a strong argument for using a quantitative approach. The other major advantage is the ability to manipulate the data automatically using computer programs and algorithms
