Chapter 6. Synthetic Evaluation of Risks
‘What is required of an officer is a certain power of discrimination, which only knowledge of men and things and good judgement can give. The law of probability must be his guide.’
|--Carl von Clausewitz|
Discovering and evaluating vulnerabilities and gaps without the thorough analysis of risks they introduce, is as good as doing recon without using its results. In fact, for the risk analysis phase, all previous security audit stages are nothing more than the necessary reconnaissance. One of the fundamental principles of Chapter 1 states that ‘information security assessment always operates with probabilities’. Gauging these probabilities is a fine science and art that has to be fully mastered by at least ...