Risk Management

Read this page and watch the video to learn more about the purpose of risk management and the four stages of the risk management process. Before you move on, make sure you have a good understanding of the formulas, and that you are able to use the formulas on this page to calculate single loss expectancy (SLE), annual rate of occurrence (ARO), and annual loss expectancy (ALE).

Instruction

Qualitative Risk Analysis

A qualitative risk analysis evaluates the impact or effect of threats on the business process or the goals of the organization and has the following characteristics:

Scenario oriented

A carefully reasoned risk assessment is performed

A qualitative analysis is much more subjective. Members of the risk assessment team determine the overall security risk to assets. An asset value is still used in addition to the threat frequency, impact, and safeguard effectiveness. All of these elements, though, are measured in subjective terms such as high, low, or not likely.

Although qualitative security risk equation variables are expressed as numerical values, these values are considered ordinal numbers which correspond to High > Medium > Low. There is no metric that determines a distance between categories. For example, Low is not twice as good as High.

Tables are used as the "formula" for determining qualitative security risks, as shown in Figure 11.

Figure 11 – Qualitative risk analysis matrix

The team then defines each of the qualitative values for probability and impact. The values in the table are the result of multiplying the probability value by the impact value. Read the article, Qualitative Risk Analysis and Assessment for more information.