The first big step in a risk analysis is scoping. Each part of the analysis process builds on the other so if you get scoping wrong, the rest of your analysis is on shaky ground at best. Remember, scoping is where you clearly:
This may not come as a shock, but a big part of what a risk analyst does is analyzing the issues that an organization is concerned with occurring.
The analysis part of the job spans an entire process, but a critical part involves first finding those things that are worth conducting a risk analysis over.
I just wrapped an engagement helping a really great customer identify their top ten risks. Talk about commitment: They organized a book club where members of Information Security, Privacy and Audit were actively studying the FAIR book, Measuring and Managing Information Risk.
At the last club meeting, somebody said “I love the FAIR model and risk quantification. But how do I apply this to the risks that face me and my department?”
A part of being a FAIR analyst involves frequently coming across other “risk analysts” and cynics at conferences, forums or in casual conversation that believe risk quantification is simply not possible.