Security Plan Guidance:
Appendix I: Risk Assessment Methods
There are several methods for determining risk. Any recordable method will do, as long as the entity determines risk as the intersection between threat, likelihood, and consequence. The National Academies of Science describes different methods of risk analysis as being on a spectrum, like those in the following table. More qualitative methods are on the left while quantitative, data-reliant methods are toward the right.
For example, the square risk map is a qualitative analysis method that relies on a common sense understanding of the combination of threat and vulnerability with the consequence of such an incident occurring.
Figure 2. Square Risk Maps assess risk by comparing the threat and vulnerability of a situation to the consequence. The risk is assessed as Low, Medium, High, or Extreme.
Similarly, the relative risk score method numerically scores threats and vulnerabilities compared to the consequence of a given scenario and plots the risk according to a set range of risk levels.
Figure 3. Example “Relative Risk Score”- This method assesses risk by numerically scoring threats and vulnerabilities compared to the consequence of a given scenario.