Security Risk Analysis

The security control vulnerabilities that tend to influence the threat frequency variable are typically different from those that influence the expected impact variable. The security risk analysis depends on all the previous data gathering stages to supply the information required to analyze the security risk to the organization. The security risk analysis phase consists of techniques and approaches for determining individual and overall security risk levels. This chapter discusses how to analyze that data using the RIIOT framework to determine and measure the extent of vulnerabilities in those controls. When the security risk assessment team performs a security risk assessment method that relies on qualitative data, the assessment team will need to estimate those values using qualitative techniques such as ranking, scoring, and lookup tables. Qualitative security risk equation variables are sometimes expressed as numbers; however, these should not be treated in the same manner as numbers within quantitative analysis.