Risk analysis can be broken down into two broad methods, and these methods are qualitative and quantitative. The qualitative method for risk analysis is designed for the purpose of enhancing one’s awareness of potential problems, and can assist one in analyzing these risks.
Quantitative risk analysis is designed so that the security measures can be implemented, and this will allow the cost envelope to be implemented as well. There is yet a third method for risk analysis which is used, and this is referred to as being the hybrid method, since it borrows characteristics from both the quantitative and qualitative risk analysis methods. Of the three approaches, the qualitative analysis is the most simple to use, and is therefore used the most often.
Qualitative analysis is useful because it allows one to quickly identify potential risks, as well as assets and resources which are vulnerable to these risks. Not only does qualitative analysis showcase the safety measures that have already been utilized, it will show those which could be useful if they are implemented.
The goal of qualitative risk analysis is to gain a level of risk protection which is acceptable, and one which will increase awareness among the necessary members of the organization. This analysis will often make use of calculations which are fairly basic, and it is often not necessary to know the value of all the assets in question.
While quantitative analysis does many of the same things which can be found with qualitative analysis, it is also capable of identifying the envelopes for which both safeguards and losses can be found. It is based on a process which is highly subjective, and it uses metrics which require it to have a high level of effort put into it.
At the same time, quantitative analysis is capable of presenting data in a manner which is friendly for management, and which expresses percentages, values, as well as probabilities. Now that we’ve gone over the two primary tools which are used for risk analysis, it is next important to learn a little bit about the methodology which is associated with them.
Risk Analysis Methodology
One piece of methodology that you will want to familiarize yourself with is the scope statement. The scope statement is one statement which is designed to define the things that must be evaluated, as well as state the form of risk analysis that will need to be performed. The scope statement must also be capable of giving the results which have been expected.
The next piece of methodology which is important to learn is called asset pricing. The information system will be defined based on the scope statement, and it will be further split into components which may be priced. While you have the option of splitting the system into smaller pieces, some say it is easier to simply take apart the entire unit, leaving on the components which are tangible.
The tangible components tend to be those which are easier to price. One good example of tangible components are the telecommunications tools that the organization uses. These includes tools which are internal as well as external. Any device which is used for communication purposes will need to be included in this category.
Some devices which are great examples of this include both modems, routers, and telephones, as well as intercom or PA systems. After communication tools have been considered, the next thing which must be taken into consideration is the software devices. This includes any type of software which must be programmed. Operating systems should be the first thing to come to mind.
Additional Considerations
Once you have incorporated everything related to software and software applications, you will next need to consider the physical equipment. The physical equipment will include things such as monitors, computers, and computer terminals.
Any object which is used for the purpose of displaying information must be considered. Printers should be included in this list, along with disk drives and memory cards. Power supplies should be factored in as well. Any systems which are designed for the purpose of holding data, such as error logs, usage logs, or info related to schedules, will need to be factored in the system as well.
