CISSP certification: Risk Analysis terms.

Qualitative vs. Quantitative Risk Analysis.

  • For any Risk analysis we need to identify our assets. What are we protecting?
    • Qualitative Risk Analysis – How likely is it to happen and how bad is it if it happens? This is vague, guessing, a feeling and relatively quick to do. Most often done to know where to focus the Quantitative Risk Analysis.
    • Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, Total $ value of asset, math is involved.
      • Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, … )
      • Vulnerability – A weakness that can allow the Threat to do harm. Having a Data Center in the Tsunami flood area, not Earthquake resistant, not applying patches and anti virus, …
      • Risk = Threat x Vulnerability.
      • Impact – Can at times be added to give a more full picture. Risk = Threat x Vulnerability x Impact (How bad is it?).
      • Total Risk = Threat x Vulnerability x Asset Value.
      • Residual Risk = Total Risk – Countermeasures.

IT security trainer.
Sharing my knowledge, to help you reach your IT certification goals.
CISSP, C|EH, PMP, CCNP, CompTIA Security+, SCP, CCNA-Security, CCNA, et. Al.

You may also like

Leave a Reply