Task 2 -- Risk Analysis and Mitigation Flashcards
Risk Analysis
Risk Analysis
In this step, the assessor combines all the information on assets, threats, and vulnerabilities and then considers the potential impact and prioritizes it based upon the consequences of a loss event. In all risk analyses, but particularly in quantitative ones, it is advisable to determine the evaluation levels (for threat, vulnerability, and impact) by committee. In other words, assessments should be performed by a multidisciplinary team of subject matter experts to reach credible and justifiable numbers as input into the analysis. Justifying the numbers is the matter where assessors are most often challenged by clients, executives, and decision makers in terms of reporting their risk analysis results
Risk Assessment Formula
Risk = (Threat × Vulnerability × Impact)1/3
This formula, which multiplies the risk factors rather than adding them, recognizes that if any factor is zero, the resulting risk is zero (at that time and place). In this approach, the evaluation factors (threat, vulnerability, and impact) are rated on a 0 to 100 scale. Such a scale is easy for people to understand because they are accustomed to thinking in terms of percentages. Using the cubed root places the overall risk figure back on the 0 to 100 scale again, one which is easy for people to understand and to visualize using charts and graphs.
Risk analysis results should be presented to the client or decision maker in a manner that helps them understand the data and make decisions. This includes placing the identified risks in a priority order or into priority categories to help show, from the assessor’s perspective, which risks should be addressed first.
Risk Mitigation
Risk mitigation is one of four processes in the ESRM cycle. The goals and mission of an organization should be considered in selecting a risk mitigation approach. It is not practical to address all identified risks, so priority should be given to those risks that have the potential to cause significant mission impact or harm. The best practice is to use appropriate technologies from among the many effective security systems, along with appropriate structural/architectural features, and to bolster the strategy with the human element as well as strong policy and procedure control measures.
Available options to address risk
The security practitioner has a range of options to address the risks faced by an organization or facility. Some options may not be available because they are not feasible or are too costly, financially or otherwise. Options include security measures to reduce the risk of the event, architectural improvements, security systems, policies and procedures, management practices, and security staffing. These categories are generally considered to be the security related options. However, there are other options, including transferring the financial risk of loss through insurance coverage or contract terms (e.g., indemnification clauses in security services contracts) or simply accepting the risk as a cost of doing business. Any strategy or option chosen must be evaluated in terms of availability, affordability, and feasibility of application to the enterprise’s operation.
Leveraging Outside Expertise
It is often advisable to involve a carefully selected vendor or outside consultant in the risk assessment process. An outsider brings a fresh view and is not tainted by previous opinions, prejudices, preferences, and organizational politics. Reputable consultants and vendors also bring expertise and up-to-date knowledge on best practices, products, and industry standards. Consultants or vendors should be chosen carefully, based on their specialty, experience, professionalism, and degree of independence. There must be a clear agreement among all parties on the purpose and scope of the project as well as the expected product.
To ensure maximum effectiveness, the consultant should design the system at the inception of the project. Otherwise it could result in small undocumented changes known as scope creep that could have a significant impact on the project. As regulation and government oversight have expanded, using an outside resource to conduct a risk assessment may strengthen a company’s position during an audit.
