Risk Assessment


Risk Assessment is the determination of quantitative or qualitative estimate of risk related to a concrete situation and a recognized threat (also called hazard).

Quantitative risk assessment requires calculations of two components of risk (R):

  • the magnitude of the potential loss (L) (We have also seen the term Impact)
  • the probability (p) that the loss will occur (We have also seen the term Likelihood)

Risk Assessment is calculating the chance that Attackers might succeed, so you know how much effort to spend defending against them. There may be many different ways that you might lose control or access to your data, but some of them are less likely than others. Risk Assessment means deciding which Attacks you are going to take seriously, and which may be too rare, too harmless, or too difficult to combat to worry about. (Acceptable risk)

Within the context of Information security there are two types of risk that companies face:

Of course these may overlap and any given risk may be both a Real Risk and a Regulatory Risk

Threat Model#

Risk Assessment is performed by creating a Threat Model.

More Information#

There might be more information for this subject on one of the following: