ABSTRACT
Risk analysis is the process by which organizations determine how best to protect their assets. The risk analysis process includes developing a comprehensive understanding of the organization’s critical assets, the criticality of those assets, the consequences of the potential loss of those assets, and the potential risks faced by those assets. Risks are comprised of a threat actor with the intent to harm, the capabilities to carry out that intent (a threat), and vulnerabilites. Risks vary in seriousness by the degree of likelihood that the threat may be carried out and the consequences to the organization of the loss of the asset. Likelihood is determined by the determination and capabilities of the threat actor and the vulnerabilities in the assets that could be exploited by the threat actor. Risk therefore includes threat, likelihood, vulnerability, and consequences. Many risk formulas combine threat and likelihood into a single variable (threat). Many risk formulas view threat (including likelihood) and vulnerabilites and then prioritize the risk results by the consequences of the event.
