Tutorial 1: Risk analysis -- Main challenges and how they can be handled

No ratings

Presented at ESSoS 2014 by

Bjornar Solhaug

The tutorial consists of two main parts: The first part gives a general introduction to risk management, risk analysis and security risk analysis as described in ISO 31000 and ISO 27005. We present the overall risk management process and the main activities and steps within a commercial risk analysis. This includes target description, asset identification, risk identification, risk estimation, risk evaluation and risk treatment. A risk analysis involves many steps and activities some of which are more challenging than others. The second part of the tutorial addresses some of the most challenging of these steps and activities, including the selection of the scales to measure risk, the measurement of risk value, the aggregation of risk, the evolution of risk and risk with very low likelihood. We carefully characterize each challenge and provide advice on how it can be handled.