Professional Documents
Culture Documents
of Qualitative
Risk Assessment
Introduction
Using the different risk assessment techniques, we will be better able to reinforce the process used
when performing a risk assessment. There is a logical progression of activities that we will identify
through the use of these risk assessment examples.
During this chapter we will examine four different risk analysis processes:
Hazard impact analysis
Threat analysis
Questionnaires
Single-time loss algorithm
Once the threats have been identified and all of the terms defined, the team will examine each threat
using the worksheet shown in Figure 5.1.
In column 1 the team will enter the types of threats:
Fire
Flood
Tornado
Virus
Fraud
Electrical outage
Bomb threat
Figure 5.2 Hazard Impact Analysis Worksheet with probability and impact totals.
Paralysis by Analysis
The process of risk assessment can become bogged down by the inclusion of too much detail. Often,
the risk assessment process bogs down because the team deviates from the standard risk assessment
methodology and attempts to work the process before the preliminary steps are complete.
Questionnaires
Questionnaires can be developed to meet a specific resources requirement or can be used to review a
broader area. An important key to developing an effective risk assessment questionnaire is to remember
the audience. The language used in the questionnaires must be scaled to meet the requirements of the
intended audience. Also, the number of questions must be limited. Typically, a series of 20 questions
per topic should be the limit.
Summary
Questionnaires are used prior to when a risk assessment is scheduled. This allows the facilitator to get
an overview of the level of controls currently in place. The questionnaire is also used when assessment
resources are limited and a facilitator is not available. This process, coupled with a prescreening
methodology, can help an organization when resources are stretched.
FRAAP Overview
The Facilitated Risk Analysis and Assessment Process (FRAAP) has been developed as an efficient and
disciplined process for ensuring that information security-related risks to business operations are
considered and documented. The process involves analyzing one system, application, platform, business
process, or segment of business operation at a time. The FRAAP sessions follow a standard agenda and
are facilitated by a member of the project office or information security staff.
The FRAAP is divided into three phases: pre-FRAAP, FRAAP session, and post-FRAAP. During the FRAAP
session, the team will brainstorm to identify potential threats to the integrity, confidentiality, and
availability of information resources.
When assembling the team, it is the experience that allows the members to believe that additional
efforts to develop precisely quantified risks are not cost-effective because:
Such estimates take an inordinate amount of time and effort to identify and verify or develop.
The risk documentation becomes too voluminous to be practical.
Specific loss estimates are generally not needed to determine if a control is needed.
After identifying the threats and establishing the relative risk level for each threat, the team identifies
controls that could be implemented to reduce the risk, focusing on the most cost-effective controls.
The teams conclusions as to what threats exist, what their risk levels are, and what controls are needed
are documented for the business owner to use in developing an action plan to implement necessary
controls.
Once the FRAAP session is complete, the security professional can assist the business owner in
determining which controls are cost-effective and meet business needs.
Each risk analysis process is divided into three distinct sessions:
The pre-FRAAP meeting normally takes about an hour and includes the business owner, project
leader, scribe, and facilitator.
The FRAAP session takes approximately four hours and includes 15 to 30 people, though
sessions with as many as 50 and as few as 4 people have occurred.
Post-FRAAP is where the results are analyzed and the management summary report is
completed. This process can take up to five workdays to complete.
Facilitation Skills