Base on the Read items thus far, what does risk mean? Briefly describe the difference between quantitative and qualitative risk analysis. Should risk be based on a true comprehensive risk assessment, or should risk be based on worst-case scenarios? Why? Finally, explain the difference between levels of analysis regarding assets or the portfolio or system-level assessment.
here is the first peer to respond back to Lindsay Risk is the measure of the possibility that harm will befall a critical asset by a threat successfully targeting and exploiting a vulnerability, thereby resulting in adverse consequences (Bennett, 2018). The three basic components of risk include a threat to an asset, or the likelihood that there is a threat, a vulnerability of that asset, or the likelihood that the asset will be damaged, and a consequence of an attack on that asset, or the magnitude of the damage from the attack (Bennett, 2018; Liberty University, 2022). Generally, the value of the asset, such as the products or services it provides, and the likelihood of an attack should also be included in the calculation for risk, as should any mitigation techniques being employed (Bennett, 2018). Additionally, there are different categories or types of risk. Inherent risk is the risk to an asset that has had no risk reduction efforts applied. Operational risk is the loss that comes from bad policies, systems, or procedures, criminal activity, or human error. Pure risk, also called absolute risk, is when threats are beyond human control and will inevitably result in loss. Residual risk is what remains after protective measures have been put into place. Risk avoidance is the choice to not become involved in risk by eliminating elements that can have negative effects. Tolerable risk is the level of risk that is acceptable based on the values of the society and the cost of eliminating the remaining risk.Qualitative and Quantitative Risk Analysis Risk analysis evaluates the effectiveness of an assets security against a threat by using specific scenarios with the goal of understanding the negative consequences the adverse event would have on the asset (Bennett, 2018). This continuous process provides potential threat strategies, an assessment of the current risk to an asset, countermeasure options, an evaluation of system effectiveness, and the cost of options. Often, risk analysis is both quantitative and qualitative. Quantitative risk analysis involves calculating a numerical value, which can be weighted, for the consequences and the likelihood of a risk to estimate its magnitude in a formal and specialized way within a risk matrix. This type of analysis is more objective when ranking risks and prioritizing countermeasures and can be used in a cost-benefit analysis. Even so, the meaning of the analysis can be unclear, requiring qualitative methodologies to interpret the findings, personal values and preferences may lead to variations, failures in an organization are ignored, and if weighting is not included, unequal events may be seen as equal. Qualitative risk analysis is much more widely used and often uses a matrix with a scaled and descriptive table for likelihood and consequences. These tables consider people, assets, damage to the environment, financial aspects, interruption of the business or service, and the reputation of the corporation. This type of analysis is better for providing relative prioritization of specific risks while also immediately identifying areas for improvement. Even so, it does not provide specific and quantifiable measurements of the impacts magnitude, so conducting a cost-benefit analysis is much more difficult.Comprehensive Risk Assessment or Worst-Case Scenarios While worst-case scenarios are useful in determining ratings for a prioritization matrix, and there may be a time and place for worst-case analysis, in general, risk should be based on a true comprehensive risk assessment (Bennett, 2018). The definition of risk itself suggests that the likelihood of an attack is an important part of calculating risk, which would be discounted by always assuming the worst-case scenario. As a hyperbolic example, a power plant in a small town is unlikely to be attacked by a terrorist organization using a nuclear device, so this worst-case scenario may not be as helpful as examining a true comprehensive risk assessment. Additionally, the U.S. Department of Homeland Security (2011) suggests that resiliency is a result of comprehensive and deliberate risk management that anticipates, communicates, and prepares for both internal and external hazards. By employing a comprehensive approach, decisions are better informed, and risks can be viewed for their cumulative effects. Because of this, effective risk management relies on a comprehensive analysis of the risks, costs, benefits, and feasibility of protecting an asset (Bennett, 2018).Portfolio-Level and Asset-Level Analysis There are various levels at which risk assessments can be performed, including portfolio-level analysis, also known as system-level analysis, and asset-level analysis (Ayyub, 2007). Portfolio-level analysis is a comprehensive type of analysis that involves viewing a collection of linked assets as a whole (Liberty University, 2022). This type of analysis finds the best way to reduce the overall risk by analyzing all of the assets within the area and prioritizing them. Physical, geographic, cyber, and logical interdependencies between all of the assets within the portfolio must also be considered due to their potential to cause cascading consequences if a hazard event were to occur (Ayyub, 2007). Asset-level analysis, as the name suggests, focuses on a single asset, and is often used for mission-critical assets (Liberty University, 2022). This type of analysis generally does not include the method of the threat and is less detail-oriented than a scenario-based approach. Even so, asset-level analysis considers the consequences of the assets disruption, its vulnerabilities, and its attractiveness (Ayyub, 2007). Often, this type of analysis is used for analyzing the risk to a person, such as the President of the United States (Liberty University, 2022).Christian Worldview Planning is an important part of any endeavor, and determining risk is an important part of protecting any critical asset. Without proper planning, an unfavorable event could be much worse. As Proverbs 21:5 states, The plans of the diligent lead to profit as surely as haste leads to poverty (New International Bible, 1978/2011). Careful planning and taking the time to conduct a risk assessment will help to protect an asset from any adverse events that may occur. Alternatively, failing to conduct these kinds of assessments can lead to catastrophic outcomes.ReferencesAyyub, B. M., McGill, W. L., & Kaminskiy, M. (2007). Critical asset and portfolio risk analysis: An all-hazards framework. Risk Analysis, 27(4), 789-801. https://doi.org/10.1111/j.1539-6924.2007.00911.x (Links to an external site.)Bennett, B. T. (2018). Understanding, assessing, and responding to terrorism: Protecting critical infrastructure and personnel (2nd ed.). John Wiley & Sons.Liberty University. (2022). HLSC 720: Critical infrastructure: Vulnerability analysis and protection. Week two, lecture one: Risk & threat assessment. https://canvas.liberty.edu/courses/343709/pages/watch-risk-and-threat-assessment?module_item_id=36065905New International Bible. (2011). Zondervan. (Original work published 1978)U.S. Department of Homeland Security. (2011). Risk management fundamentals: Homeland security risk management doctrine. https://www.dhs.gov/sites/default/
Here is Kristopher to respond back to Based on the Read items thus far, what does risk mean? Briefly describe the difference between quantitative and qualitative risk analysis. Should risk be based on a true comprehensive risk assessment, or should risk be based on worst-case scenarios? Why? Finally, explain the difference between levels of analysis regarding assets or the portfolio or system-level assessment. According to the assigned textbook for the class by Bennett (2018), risk is composed of three components: there must be a threat, there must be a vulnerability to the threat, and there must be a negative impact if the threat becomes real. Therefore, risk is defined as some form of exposure to danger or the threat of danger to either a person or thing. To explain and categorize risk, methods of research and analysis are used. Qualitative and quantitative risk analysis are two of the ways in which risk can be analyzed. Quantitative risk analysis involves utilizing numeric calculations and estimates to better pinpoint a specific area of concern. Goerlandt et al. (2018) state that quantitative risk analysis is widely used in various industries and provides the primary benefits of detailed information, improved decision-making, and an objective assessment. Bennett (2018) further adds that quantitative evaluations can give an actual magnitude measurement to help with cost-benefit analysis. Qualitative risk analysis is a way of using probability to measure something that cannot be measured numerically (Yoe, 2019). Much like social sciences are designed to use qualitative data to interpret data based upon interviews, qualitative risk analysis uses a subjective based approach. In risk analysis, Bennett (2018) argues the benefit of qualitative risk analysis is that it provides a relative prioritization of specific risks. However, because of allowing for detailed threat analysis, qualitative risk analysis cannot quantify the magnitude of a threat (Bennett, 2018). Basing risk assessment on worst-case scenarios is advantageous because the extremes are studied and then prepared for. For example, if a power plant decides that a worst-case scenario is a complete failure of all systems and would require weeks to fix, then planning can be conducted to mitigate acts that could cause a complete failure. However, in preparing for the worst, sometimes smaller, more practical threats can be overlooked such as spyware, malware, etc. A comprehensive threat assessment is very time-consuming and tedious but offers a detailed analysis of various forms and different severity levels of threats. While a worst-case scenario does offer a quick explanation of preparing for the worst, a comprehensive risk assessment is more practical in critical infrastructures that are hard targets. Soft targets may be able to get away with worst-case scenarios depending on how much of a cascading effect an event may have. In the Learn material assigned for the class is a video titled watch: risk and threat assessment (Liberty University, 2022) that describes portfolio analysis as a way to look at the entire system as a whole. That is, portfolio analysis looks at a collection of assets that are somehow linked together and examines threats and the possibility of damage. Asset level analysis looks at the individual assets within a system, such as gates, cameras, door badging systems, and more (Liberty University, 2022). These assets are analyzed on a more individual level to see how the integration works in the overall threat analysis picture. For you were called to freedom, brothers. Only do not use your freedom as an opportunity for the flesh, but through love serve one another (Galatians 5:13, The Holy Bible, English Standard Version.ReferencesBennett, B. T. (2018). Understanding, assessing, and responding to terrorism: Protecting critical infrastructure and personnel. John Wiley & Sons.Goerlandt, F., Khakzad, N., & Reniers, G. (2017). Validity and validation of safety-related quantitative risk analysis: A review. Safety science, 99, 127-139.Liberty University. (2022). Watch: Risk & Threat Assessment. Week 2 Read Material.The Holy Bible, English Standard Version: containing the Old and New Testament. (2021)Yoe, C. (2019). Principles of risk analysis