Qualitative Risk Analysis
定性风险分析
Qualitative risk analysis is more scenario based than it is calculator based. Rather than assigning exact dollar figures to possible losses, you rank threats on a relative scale to evaluate their risks, costs, and effects. Since a purely quantitative risk assessment is not possible, balancing the results of a quantitative analysis is essential. The method of combining quantitative and qualitative analysis into a final assessment of organizational risk is known as hybrid assessment or hybrid analysis. The process of performing qualitative risk analysis involves judgment, intuition, and experience. You can use many techniques to perform qualitative risk analysis:
-
Brainstorming|脑力风暴
-
Storyboarding|故事板
-
Focus groups|焦点小组
-
Surveys | 调查
-
Questionnaires|问卷调查
-
Checklists | 核对表
-
One-on-one meetings| 一对一会议
-
Interviews |访谈
-
Scenarios|情景模拟
-
Delphi technique|德尔菲技术
定性风险分析更多的是基于情景,而不是基于计算器。你不是给可能的损失分配精确的美元数字,而是在一个相对的尺度上对威胁进行排序,以评估它们的风险、成本和影响。由于纯粹的定量风险评估是不可能的,平衡定量分析的结果是至关重要的。将定量分析和定性分析结合到组织风险的最终评估中的方法,被称为混合评估或混合分析。进行定性风险分析的过程涉及判断、直觉和经验。你可以使用许多技术来进行定性风险分析。
-
Brainstorming|脑力风暴
-
Storyboarding|故事板
-
Focus groups|焦点小组
-
Surveys | 调查
-
Questionnaires|问卷调查
-
Checklists | 核对表
-
One-on-one meetings| 一对一会议
-
Interviews |访谈
-
Scenarios|情景模拟
-
Delphi technique|德尔菲技术
确定采用哪种机制是基于组织的文化以及所涉及的风险和资产的类型。通常会同时采用几种方法,并在提交给上级管理层的最终风险分析报告中对其结果进行比较和对照。其中,你需要更多了解的是情景模拟和德尔菲技术。
Scenarios场景
The basic process for all these mechanisms involves the creation of scenarios. A scenario is a written description of a single major threat. The description focuses on how a threat would be instigated and what effects its occurrence could have on the organization, the IT infrastructure, and specific assets. Generally, the scenarios are limited to one page of text to keep them manageable. For each scenario, several safeguards are described that would completely or partially protect against the major threat discussed in the scenario. The analysis participants then assign to the scenario a threat level, a loss potential, and the advantages of each safeguard. These assignments can be simple—such as High, Medium, and Low, or a basic number scale of 1 to 10—or they can be detailed essay responses. The responses from all participants are then compiled into a single report that is presented to upper management. For examples of reference ratings and levels, please see Tables D-3, D-4, D-5, D-6, and E-4 in NIST SP 800-30 Rev.1:
csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
所有这些机制的基本过程涉及到情景的创建。情景是对单一主要威胁的书面描述。描述的重点是威胁是如何被煽动的,它的发生会对组织、IT基础设施和特定资产产生什么影响。一般来说,情景描述的篇幅限制在一页之内,以使其易于管理。对于每一个情景,都描述了一些保障措施,这些措施可以完全或部分地防止该情景中讨论的主要威胁。然后,分析参与者为该情景指定一个威胁等级、一个损失潜力以及每个保障措施的优势。这些分配可以是简单的,如高、中、低,或1至10的基本数字等级,也可以是详细的论文答复。然后将所有参与者的答复汇编成一份报告,提交给上层管理人员。关于参考评级和等级的例子,请参见NIST SP 800-30 Rev.1的表D-3、D-4、D-5、D-6和E-4。
The usefulness and validity of a qualitative risk analysis improves as the number and diversity of the participants in the evaluation increases. Whenever possible, include one or more people from each level of the organizational hierarchy, from upper management to end user. It is also important to include a cross-section from each major department, division, office, or branch.
定性风险分析的有用性和有效性随着评估参与者的数量和多样性的增加而提高。在可能的情况下,从组织结构的每个层次,从高层管理到终端用户,都要有一个或多个人参加。同样重要的是,要包括来自每个主要部门、分部、办公室或分支机构的横断面。
Delphi Technique
The Delphi technique is probably the primary mechanism on the previous list that is not immediately recognizable and understood. The Delphi technique is simply an anonymous feedback-and-response process used to enable a group to reach an anonymous consensus. Its primary purpose is to elicit honest and uninfluenced responses from all participants. The participants are usually gathered into a single meeting room. To each request for feedback, each participant writes down their response on paper or through digital messaging services anonymously. The results are compiled and presented to the group for evaluation. The process is repeated until a consensus is reached. The goal or purpose of the Delphi technique is to facilitate the evaluation of ideas, concepts, and solutions on their own merit without the discrimination that often occurs based on who the idea comes from.
德尔菲技术
德尔菲技术可能是前述清单中最主要的机制,它不能被立即识别和理解。德尔菲技术只是一个匿名的反馈和回应过程,用于使一个小组达成匿名的共识。它的主要目的是为了从所有参与者那里获得诚实和不受影响的反应。参与者通常被聚集在一个会议室里。对于每个反馈要求,每个参与者都在纸上或通过数字信息服务匿名写下他们的反应。结果被汇编并提交给小组进行评估。这个过程会重复进行,直到达成共识。德尔菲技术的目标或目的是促进对想法、概念和解决方案本身的评价,而不像通常那样根据想法的来源进行歧视。
原文始发于微信公众号(网络安全等保测评):Qualitative Risk Analysis定性风险分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论