The reader is referred to Section 3.2.2. In this appendix, we present an approach for the selection of a risk analysis method based on three aspects: expected consequences, uncertainties and frame conditions. A scheme for ICT-related problems is used to illustrate the approach.
We refer to Table C.1. The expected consequences are expressed as the product of the probability that an event will occur (in this case, a fault in the ICT system) and expected consequences should such an event occur. The top rows in the table give the expected consequences for the different consequence categories (attributes). The excepted consequences, given failure, are addressed on two levels, expected effect on society and expected effect on the business. The bottom rows show the probabilities for various types of failures. Both probability and expected value are classified in broad categories: low, moderate and high, suitably defined. The italicised text show the results from the analysis.
Table C.1 Classification based on expected consequences—example from a water supply operation (Wiencke et al. 2006)
|Failure of the ICT system,||Score|
|(with respect to availability,|
|confidentiality or integrity)||1||2||3|
|Expected consequences of failure|
|Expected effect on society|
|Expected effect on safety for personnel||Low||Medium||High|
|Expected health effect||Low||Medium||High|
|Expected effect on environment ...|