Risk Assessment “Slash” Analysis?

Source: NIST SP 800-30 R1

According to NIST SP 800-30 R1, risk assessment is the process of identifying, estimating, and prioritizing information security risks. This definition matches the one in ISO 31000; estimating refers to the analysis, while prioritizing refers to evaluation.

However, the guideline uses two terms in the risk assessment process that may confuse people: assessment approach and analysis approach.

  • Assessment approach: e.g., quantitative, qualitative, or semi-qualitative
  • Analysis approach: e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented

Risk Framing Components

The assessment approach defined in the Frame stage should apply to the “risk assessment process” as a whole, while the analysis approach should refer to the approach used to “estimate” risk as a part of the risk assessment process.

FIGURE 2: RELATIONSHIP AMONG RISK FRAMING COMPONENTS (NIST SP 800-30 R1)

FIGURE 5: RISK ASSESSMENT PROCESS (NIST SP 800-30 R1)

Risk Assessment “Slash” Analysis?

It seems that both ISO and NIST distinguish risk assessment from risk analysis. However, it’s common for people to use them interchangeably. I think it’s a good practice to use them precisely.

Leave a Reply