8.2. Risk Analysis
Good, effective security planning includes a careful risk analysis. A risk is a potential problem that the system or its users may experience. We distinguish a risk from other project events by looking for three things, as suggested by Rook [ROO93]:
A loss associated with an event. The event must generate a negative effect: compromised security, lost time, diminished quality, lost money, lost control, lost understanding, and so on. This loss is called the risk impact.
The likelihood that the event will occur. There is a probability of occurrence associated with each risk, measured from 0 (impossible) to 1 (certain). When the risk probability is 1, we say we have a problem.
The degree to which we can change the outcome. We ...
Get Security in Computing, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.