Identifying the mechanism that deal with the recognized risks and measure their strength. Based on this assessment, considering the risks in terms of possibility and significance, and the present risk level.
Risk analysis is the procedure of defining and analyzing the threats to personals, organization and government agencies posed by potential natural or human-caused adverse events. A risk analysis aids to integrate security program with the company 's goals and requirements. It also helps the company to assign a suitable budget for an effective security program and its components. After a company recognizes the significance of assets and the likely threats to be exposed, it can make good decisions on the amount of effort …show more content…
An important question is the cost, which company might have to pay if not protecting the asset.
Identify vulnerabilities and threats
Once the assets have been known and their values allocated, all the possible vulnerabilities and threats has to be identified for each of them. The security team should identify the vulnerabilities which could affect confidentiality integrity, or availability requirements. All the obtained information need to be documented so that the required countermeasures can be applied.
As there might be a large number of vulnerabilities and associated threats that could disturb the assets, it is also important to be properly categorize them. The main objective is to find out which vulnerabilities and threats might cause the maximum damage so that the critical items can be taken care on the priority basis.
Measuring the possibility and impact of the potential threats on the business
To evaluate possible losses caused by threats, the following questions need to be …show more content…
The goal of this step is to identify a list of system weakness, by using security test of system, audit comments and security requirements that could be exploited. These weaknesses generate the threat/vulnerability pair.
Control Analysis
For every threat/vulnerability pairs, identify all the possible existing and planned controls to decrease the risk of the threat to exploit vulnerability. Security controls involve the use of technical and non-technical approaches. Technical controls are protection that are combined with computer hardware, software, and firmware. In the other hand Non-technical controls are administrative and operational controls, for instance operation procedure, security policies and environmental security.
Likelihood:
Likelihood specifies the chance that a possible vulnerability may be exercised within the construct of associated threat environment, which may be very likely, probable, and improbable.
Impact