Qualitative Risk Analysis
This is by far the most widely used approach to risk analysis. Probability data is not required and only estimated potential loss is used.
Most qualitative risk analysis methodologies make use of a number of interrelated elements:
These are things that can go wrong or that can ‘attack’ the system. Examples might include fire or fraud. Threats are ever present for every system.
These make a system more prone to attack by a threat or make an attack more likely to have some success or impact. For example, for fire a vulnerability would be the presence of inflammable materials (e.g. paper).
These are the countermeasures for vulnerabilities. There are four types:
Deterrent controls reduce the likelihood of a deliberate attack
Preventative controls protect vulnerabilities and make an attack unsuccessful or reduce its impact
Corrective controls reduce the effect of an attack
Detective controls discover attacks and trigger preventative or corrective controls.