Risk analysis defines the review of risks related to the specific action or event. The risk analysis is used to information technology, projects, security issues and some other event where risks can be analysed based on a quantitative and qualitative basis.
There are some steps followed by a risk analysis process are as follows −
Establish the Risk Assessment Team − The risk assessment team will be answerable for the collection, analysis, and documenting of the assessment results to management. It is essential that some aspects of the activity work flow be defined on the team, such as human resources, administrative processes, automated systems, and physical security.
Set the scope of the Project − The assessment team should recognize at the outset the goals of the assessment project, department, or functional events to be assessed, the responsibilities of the members of the team, the personnel to be interviewed, the standards to be used, documentation to be inspected and operations to be checked.
Identify assets covered by the Assessment − Assets can involve, but are not defined to, personnel, hardware, software, data (such as classification of sensitivity and criticality), facilities and current controls that security those assets. It is the key to recognize all assets related to the assessment project determined in the scope.
Categorize Potential Losses − It can identify the losses that can result from some type of damage to an asset. Losses can result from physical damage, denial of service, alteration, unauthorized access or disclosure. Losses can be intangible, including the loss of the organizations’ credibility.
Identify Threats and Vulnerabilities − A threat is an event, procedures, activity, or process that exploits a vulnerability to attack an asset. It involves natural threats, accidental threats, human accidental threats, and human malicious threats. These can involve power failure, biological contamination or hazardous chemical spills, acts of features, or hardware/software failure, data elimination or loss of integrity, sabotage, or theft or vandalism.
Vulnerability is a weakness which a threat will exploit to attack the assets. Vulnerabilities can be recognized by addressing the following in the data collection process such as physical security, environment, system security, communications security, personnel security, plans, policies, processes, management, support, etc.
Identify existing Controls − Controls are safeguards that decrease the probability that a threat will exploit a vulnerability to strongly attack an asset. It can recognize those safeguards that are currently executed, and determine their effectiveness in the context of the current analysis.
Analyze the Data − In this step, all the collected data will be used to decide the actual risks to the assets under consideration. A method to analyze data contains preparing a record of assets and displaying corresponding threats, type of loss and vulnerability. Analysis of this data should contains an assessment of the possible frequency of the potential fall.