ABSTRACT
At this point in the assessment process, values for the parameters required to estimate security risk have been determined. Conditional security risk is estimated in this text. Conditional risk is estimated by calculating the likelihood of system failure (1 – PE), where PE is likelihood of protection system effectiveness, and the associated consequences assuming that the event occurs. The likelihood of the initiating event is not estimated, but the level of the threat environment is discussed as the potential for the initiating event. The assessed level of threat environment provides information for decision makers to determine whether the threat environment level is high enough to invest resources in a full security risk assessment for a particular threat. The assessed level of threat environment is not included in the equation for security risk. As discussed earlier, conditional security risk is expressed as follows:
R = (1.0 – PE) * C (7.1)
The Risk Evaluation and System Design Process is presented again in Figure 7.1 with the Estimate Security Risk step highlighted to demonstrate the tasks that have been completed to this point in the process and the steps that remain to be performed.
