risk analysis [English]
n. ~ A process of identifying potential risks.
NIST considers risk analysis and risk assessment as synonymous. However, some distinguish the two, the latter focusing on the relative likelihood and impact of risks.
- ISO 73, 2009 (†456 §3.6.1): 3.6.1 risk analysis ~ process to comprehend the nature of risk (1.1) and to determine the level of risk (18.104.22.168) ¶Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.7.1) and decisions about risk treatment (3.8.1). ¶Note 2 to entry: Risk analysis includes risk estimation.
- RFC 4949 (†591 s.v. "risk analysis"): (I) An assessment process that systematically (a) identifies valuable system resources and threats to those resources, (b) quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (c) (optionally) recommends how to allocate available resources to countermeasures so as to minimize total exposure. (See: risk management, business-case analysis. Compare: threat analysis.)
- CNSS-4009 (†730 p.61): Examination of information to identify the risk to an information system. (†1745)
- Law 2011 (†581 s.v. risk analysis): The identification of risks to which an organization is exposed and the assessment of the potential impact of those risks on the organization. The goal of risk analysis is to identify and measure the risks associated with different courses of action in order to inform the decision making process. In the context of business decision making, risk analysis is especially used in investment decisions and capital investment appraisal. Techniques used in risk analysis include sensitivity analysis, probability analysis, simulation, and modeling. Risk analysis may be used to develop an organizational risk profile, and also may be the first stage in a risk management program. (†1121)
- RFC 4949 (†591 s.v. "risk analysis" ): Tutorial: Usually, it is financially and technically infeasible to avoid or transfer all risks (see: "first corollary" of "second law" under "Courtney’s laws"), and some residual risks will remain, even after all available countermeasures have been deployed (see: "second corollary" of "second law" under "Courtney’s laws"). Thus, a risk analysis typically lists risks in order of cost and criticality, thereby determining where countermeasures should be applied first. [FP031, R2196] ¶ In some contexts, it is infeasible or inadvisable to attempt a complete or quantitative risk analysis because needed data, time, and expertise are not available. Instead, basic answers to questions about threats and risks may be already built into institutional security policies. For example, U.S. DoD policies for data confidentiality "do not explicitly itemize the range of expected threats" but instead "reflect an operational approach ... by stating the particular management controls that must be used to achieve [confidentiality] ... Thus, they avoid listing threats, which would represent a severe risk in itself, and avoid the risk of poor security design implicit in taking a fresh approach to each new problem". [NRC91] (†1356)
- Wikipedia (†387 s.v. asset (computer security)): When performing risk analysis it is important to weigh how much to spend protecting each asset against the cost of losing the asset. It is also important to take into account the chance of each loss occurring. Intangible costs must also be factored in. If a hacker makes a copy of all a company's credit card numbers it does not cost them anything directly but the loss in fines and reputation can be enormous. (†1239)