You may remember the management adage that says "You can't manage what you don't measure". I will happily add a sibling: "You can't measure what you haven't defined."
When it comes to risk analysis, getting off on the right step is foundational. Very often when we see individuals struggling with risk analysis, our first instinct is to review their scoping.
1. Start with defining the asset(s). This means we need to start by thinking, "What are the assets we should be worried about being affected and/or harmed?" This may be data, systems, a business process or even people.
2. The next step is simply identifying the probable threat(s)we are worried about affecting and/or harming the asset(s). Notice that I used the word "probable" and not "possible" - you should strive to keep the analysis discrete. It will make your work more efficient and the results more clear.
3. The final step is clarify how those threats affect the asset(s) - the Open FAIR standard refers to this as the threat effects. With IT risk analysis and often operational risk analysis, the C-I-A triad (Confidentiality, Integrity, and Availability) is very useful.
With those three key steps defined, we have completed scoping. I will however leave you with one final tip... A test of sorts: "What does the loss event look like?"
Can you answer this question concisely and with complete clarity?
- If you can, then that means you clearly know what event your assessing.
- If you can not, it's likely you will struggle to measure the probable frequency and probable magnitude of loss.
This topic and others are concepts that we not only cover but practice in FAIR analyst training.