Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: risk assessment - Likelihood determination

from [Ryan Chow] Network Security [Permanent Link]
Subject: Re: risk assessment - Likelihood determination
Date: Thu, 22 Dec 2005 17:09:05 +0800 
AS/NZ 4360 Deals with Risk Management and provides guidance on the
likelihood of occurence for risks.

My suggestion to you is to adopt one of the Standards (ISO) and use it for
consistency across the organisation that you are conducting the risk
assessment for.  This should in theory mean that when it comes to the
likelihood at least that a comparison can be made given the common
definitions.

As an aside I feel that sometimes there are too many i.e

Insignificant
Negligible
Unlikely
Possible
Likely
Almost Certain
Certain

Too many and it becomes a problem especially for risks that are not expected
to occur much or even at all.

regards,

Ryan.

On 15 Dec 2005 17:54:01 -0000, laptop32901@yahoo.com <laptop32901@yahoo.com>
wrote:


hello all,

Do any of you have any links (URLs) you can suggest for risk assessment
methodologies or frameworks that provide specific guidance and examples on
how to estimate the "likelihood of occurrence" of risks?

I am familiar with NIST SP 800-30, and I am aware of 800-30's definitions
of high, medium, and low.  I am looking for more detailed guidance and
examples, if any exist.

I am also aware of the MS Security Risk Mgmt guide, Chapter 4, which says
a high probability risk is one expected to occur within one year.  Has
anyone seen similar or different definitions from other sources?
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  ICT general risks, security
Next by Date:  Re: risk assessment - Likelihood determination, juanmjr
Previous by Thread:  risk assessment - Likelihood determination, laptop32901
Next by Thread:  Re: risk assessment - Likelihood determination, juanmjr
Indexes:  [Date] [Thread] [Top] [All Lists]