Wait a second!
More handpicked essays just for you.
Don’t take our word for it - see why 10 million students trust us with their essay needs.
Qualitative Methods Of Risk Analysis
982 Words2 Pages
Recommended: Risk management steps
4.1. Methods There exist many qualitative methods of risk analysis. One of the main risk that will be discussed in this paper is NIST methodology. This methodology is mainly intended to be qualitative and is established by experienced security analysts working with system owners and technical experts to fully identify, evaluate and manage risk in IT systems. The NIST methodology consists of 9 steps: Step 1: System Characterization - organization assets of software, hardware, and data information will be collected as an initial stage. Step 2: Threat Identification - threats identified by analyzing the history of system attack. Step 3: Vulnerability Identification - list of all Weaknesses in the system that can be exploited by threats. Step 4: …show more content…
- this method give more accurate image of the risk. • Disadvantages - Results of analysis may not be precise and even confusing - Analysis using quantitative methods is usually more expensive, needs greater experience and advanced tools 6 5.1. Methods Quantitative assessment of IT risk is often represented as a value of expected losses which is based on definition of three basic volumes : Resource value (e.g information) for correct functioning of enterprise , defined in amounts Frequency of threat for resources ( e.g processed information) , defined as a number of occurrence Weakness of IT system on (or its element) threat, defined as probability mea- surement of loss occurrence as a result of event occurrence. Mathematically, quantitative risk can be expressed as Annualized Loss Ex- pectancy (ALE) ALE = SLE x ARO SLE (Single Loss Expectancy) is the value of a single loss of the asset. This may or may not be the entire asset. This is the impact of the loss. ARO (Annualized Rate of Occurrence) is how often the loss occurs. This is the …show more content…
8 Two of the reasons claimed for this are The difficulties in identifying and as- signing a value to assets. The lack of statistical information that would make it possible to determine frequency. As a result, most of the risk assessment tools that are used today for information systems are measurements of qualitative risk. 8. Conclusion In summary, successful and effective risk management is the basis of success- ful and effective IT security. Due to the reality of limited resources and nearly unlimited threats, a reasonable decision must be made concerning the allocation of resources to protect systems. Risk management practices allow the organi- zation to protect information and business process corresponding with their value. To ensure the maximum value of risk management, it must be consistent and repeatable, while focusing on measurable reductions in risk. Establishing and utilizing an effective, high quality risk management process will lead to an effective risk handling in the