--Originally published at (Not so) Random talk
Imagine you own a very important company, constantly attacked or under possible attacks from spies. You are vulnerable, you are at risk. But what can you do know? You might start to panic thinking nothing can save you.
Ah, but there is something you could do. No, don’t look at us with those big, hopeful eyes.
We don’t have the magic solution to your problem. But we can tell you something you could do, maybe not to prevent those spies, but actually, the first step before that. They are called Risk Assessment Methodologies.
Risk assessment is about finding out exactly in which parts or places are the risks (for example your vault code), which of those risks are more important, and how to make the risk smaller. After doing risk assessment, you and our personnel will know which actions to take to reduce risk or to reduce those actions that put you more at risk (like stop leaving
There are two types of risk assessment: quantitative and qualitative. As the names suggest, one has a very rigorous metrics to assess risks, it puts a great effort into asset value determination and risk mitigation, but the calculations can be complex and time consuming, as well as requiring a lot of preliminary work. The second one is much simpler in calculations, not even quantifying threat frequency, and the value of the assets is not necessarily monetary. On the other hand, as the name suggests, it is subjective, depend on the expertise of the assessment team and there is no basis for the cost/benefit analysis of risk mitigation.
Now that we know what is risk assessment, let’s see the methodologies:
Your company (the one attacked by spies), actually manages lots of money, information and valuables from very important and influential people