A risk assessment, which is really a tool for risk management, is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.After a risk assessment is carried out, the results are analyzed. Risk analysis is used to ensure that security is cost effective, relevant, timely, and responsive to threats.
A risk analysis has four main goals:
-
Identify assets and their value to the organization.
-
Identify vulnerabilities and threats.
-
Quantify the probability and business impact of these potential threats.
-
Provide an economic balance between the impact of the threat and the cost of the countermeasure.
Risk analysis provides a cost/benefit comparison, which compares the annualized cost of controls to the potential cost of loss.
剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记:1.13 风险评估和分析