CISOaaS
3. The importance of analyzing risks (and not just cyber ones?)
Roberto Perelli
August 26, 2022
4:55 pm
"The world is much more unpredictable than you think" - Richard Zeckhauser
Risk analysis

In every human activity there is the risksimply because we cannot predict and control everything.


Some examples:

we cannot know if we will puncture a tire on our way to the airport, what the price of energy will be in 6 months, if the refrigerator will break in the middle of summer, if a whirlwind will open the roof.


We may not know, but we can predict events that can happen and implicitly assign them, subjectively, a probability.


The criticality of a risk depends on the importance we attach to the object of the risk:

the flight to take, the cost of energy, the refrigerator in the middle of summer, the roof of the house.


Even by minimizing our activities, we will not be able to eliminate risks, but knowing them allows us to make informed decisions.


A company operating on the market is an active subject and therefore exposed to numerous risks.


The purpose of the risk analysis is to know the events that may occur, to estimate the probability of their occurrence and the consequences for the subject or organization if they occur.


It is necessary to define which parts of the company are taken into consideration (l?scope), the situations in which the company operates (il context) and the time frame to which the analysis refers.


Much of the information you need comes from?inventories? of the information, processes, technology and people that we must already have available (see 2. What do we need to protect?), others can be obtained from relevant research and reports, but the fundamental contribution is that of?Experts? of the Company.


The result of the analysis is a catalog or (risk register), sorted by importance (probability by impact).


Quantitative analysis makes the risks comparable through a common metric, such as cost, and this makes it to the company, with the support of Fractional CISO, easier the task of deciding the priority and type of response for each risk.


Risks at higher priority are in-depth with scenario analysis that simulate the different possible situations to provide a more accurate assessment of the extent of the impact and effectiveness of the mitigation interventions.


Lower priority risks are also included in the Safety Program, but planned to be addressed later.

Category: Fractional CISO? Instructions for Use