Risk-Analysis

Beginning with a definition of vulnerability as "any weakness that can be exploited by an adversary to gain access to an asset" (Roper, 1999, p. 63), this chapter goes into detail on the part of the risk-analysis process that deals with how to identify vulnerabilities and link them to assets held by an organization, how to analyze current organizational stance with respect to protecting the asset, and how to evaluate each asset with reference to its specific vulnerability, with a view toward deciding on what additional risk-management actions can be taken to implement appropriate protections.

Risk management in general is all about assessment and evaluation, and a realistic picture of vulnerabilities is essential because exploitation of assets = exploitation of the organization's operational and security features. That in turn has implications for personnel who are onsite. It is also important to analyze vulnerabilities from the adversary's point of view, as if by thinking like an adversary one can better gauge the proper adversarial response. A good deal of attention has to be given to facilities, or physical plant, and the weaknesses of access present there, as well as to the effectiveness of existing measures to prevent unwarranted access.

Roper cites five specific areas of concern with regard to the physical plant: building characteristics, equipment properties, personnel behavior, locations of people, equipment, a

. . .
iple weaknesses, is not difficult to exploit, and is not currently protected by multiple layers of countermeasures. That is, existing countermeasures are basically not in place. In making the risk assessment, the key factor of analysis comes down to probabilities: "The likelihood that a targeted vulnerability will be successfully exploited is a function of the number and effectiveness of the security countermeasures put into place" (p. 69). In other words, not only is material response to the assessment is important, but a realistic, or "in-depth" knowledge of how the asset is currently being protected is essential. All of these elements of analysis must be applied to the categories of critical assets identified early in the text: people, activities, information, facilities, and equipment, and the kinds of threats that might be mounted against them. For example, there would be threats of physical assault against people and threats of theft of equipment and information. All of this information should be documented on a chart/matrix designed for the purpose, with a record being made of the vulnerabilities connected with each potential threat. The main thought to be taken away from this chapter is that threats or "undesirable event
. . .

Some common words found in the essay are:
Assessment Beginning, Adapted Roper, Risk Assessment, overall risk, Low Low, low medium, low low, medium low, risk assessment, Medium Low, Low Medium, Roper CA, threat vulnerability, Theft/damage AIS, risk manager, Info Theft/Compromise, low medium low, Activities Disruption, medium low low, threats vulnerabilities, risk management, critical assets, low low medium, low low low, overall risk assessment,
Approximate Word count = 1804
Approximate Pages = 7 (250 words per page)

More Essays on Risk-Analysis