2.4 Risk Assessment 29
Chapter 2
Estimating the likelihood that such threats will materialize, based on
historical information and judgment of knowledgeable individuals.
Identifying and ranking the value, sensitivity, and criticality of the
operations and assets that could be affected should a threat material-
ize, in order to determine which operations and assets are the most
important. This is sometimes referred to as “asset characterization”
and will be described later in this chapter.
Estimating, for the most critical and sensitive assets and operations,
the potential losses or damage that could occur if a threat material-
izes, including recovery costs.
Identifying cost-effective actions to mitigate or reduce the risk. These
actions can include implementing new organizational policies and
procedures, as well as technical or physical controls.
Documenting the results and developing an action plan.
2.4.2 Risk Assessment Models
There are various models and methods for assessing risk, and the extent of
an analysis and the resources expended can vary depending on the scope of
the assessment and the availability of reliable data on risk factors. In addi-
tion, the availability of data can affect the extent to which risk assessment
results can be reliably quantified. A quantitative approach generally esti-
mates the cost of risk and risk-reduction techniques based on three things:
1. The likelihood that a damaging event will occur
2. The costs of potential losses
3. The costs of mitigating actions that could be taken
The major advantage of a quantitative impact analysis is that it provides
a measurement of the impacts’ magnitude, which can be used in the cost-
benefit analysis of recommended controls. The disadvantage is that,
depending on the numerical ranges used to express the measurement, the
meaning of the quantitative impact analysis may be unclear, requiring the
result to be interpreted in a qualitative manner. Additional factors often
must be considered to determine the magnitude of impact. These may
include, but are not limited to: