Risk assessment. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard).
Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. Acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss. In all types of engineering of complex systems sophisticated risk assessments are often made within Safety engineering and Reliability engineering when it concerns threats to life, environment or machine functioning.
Risk identification. Risk should be objectively identified.
This implies establishing timing and scope in such a way that best supports the decision situation which triggered this SRA. We must also capture the most important risk components and successfully construct combinations which constitute the most relevant risks within scope. Objectivity in risk identification requires complete knowledge of our system as well as existing threat sources and vulnerabilities plus unlimited creativity and a total lack of bias.
Risk description. Risk quantification. Risk should be objectively quantified.
A quantified risk level guides decision makers in prioritizing how to spend wisely in treating risks. If applied information security is to be realized cost-effectively, the risk level is our tool.