2 cissp ® Official Study Guide Eighth Edition

Qualitative Risk Analysis

Download 19,3 Mb.

Pdf ko'rish

bet	86/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 82 83 84 85 86 87 88 89 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Qualitative Risk Analysis
Qualitative risk analysis is more scenario based than it is calculator based. Rather than
assigning exact dollar figures to possible losses, you rank threats on a scale to evaluate their
risks, costs, and effects. Since a purely quantitative risk assessment is not possible, balanc-
ing the results of a quantitative analysis is essential. The method of combining quantitative
and qualitative analysis into a final assessment of organizational risk is known as hybrid
assessment or hybrid analysis. The process of performing qualitative risk analysis involves
judgment, intuition, and experience. You can use many techniques to perform qualitative
risk analysis:
■
Brainstorming
■
Delphi technique
■
Storyboarding
■
Focus groups
■
Surveys
■
Questionnaires
■
Checklists
■
One-on-one meetings
■
Interviews
Determining which mechanism to employ is based on the culture of the organization
and the types of risks and assets involved. It is common for several methods to be employed
simultaneously and their results compared and contrasted in the final risk analysis report to
upper management.
Scenarios
The basic process for all these mechanisms involves the creation of scenarios. A
scenario
is a written description of a single major threat. The description focuses on how a threat
would be instigated and what effects its occurrence could have on the organization, the
IT infrastructure, and specific assets. Generally, the scenarios are limited to one page of
text to keep them manageable. For each scenario, one or more safeguards are described
that would completely or partially protect against the major threat discussed in the sce-
nario. The analysis participants then assign to the scenario a threat level, a loss potential,
and the advantages of each safeguard. These assignments can be grossly simple—such as
High, Medium, and Low or a basic number scale of 1 to 10—or they can be detailed essay
responses. The responses from all participants are then compiled into a single report that

Understand and Apply Risk Management Concepts
75
is presented to upper management. For examples of reference ratings and levels, please see
Table 3-6 and Table 3-7 in National Institute of Technology (NIST) Special Publication
(SP) 800-30:
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
The usefulness and validity of a qualitative risk analysis improves as the number and diversity
of the participants in the evaluation increases. Whenever possible, include one or more people
from each level of the organizational hierarchy, from upper management to end user. It is also
important to include a cross section from each major department, division, office, or branch.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 82 83 84 85 86 87 88 89 ... 881