268:
The risk scenario structure differentiates between loss events (events generating the negative impact), vulnerabilities or vulnerability events (events contributing to the magnitude or frequency of loss events occurring), and threat events (circumstances or events that can trigger loss events). It is
93:
Risk factors are those factors that influence the frequency and/or business impact of risk scenarios; they can be of different natures, and can be classified in two major categories:
85:) strength, the probability that the agent get in contact and actually act against the asset, the organization capability to react to the event and the impact on stakeholders.
127:
IT-related business capabilities (or value management)—How closely do the enterprise's value management activities align with those expressed in the
406:
100:
Internal environmental factors are, to a large extent, under the control of the enterprise, although they may not always be easy to change.
65:. It decompose at various levels, starting from the first level Loss Event Frequency and Probable Loss Magnitude, going on examining the
318:
53:
363:
392:
58:
308:
114:
capabilities—To what extent is the enterprise mature in performing the risk management processes defined in the
404:"An Introduction to Factor Analysis of Information Risk (FAIR)", Risk Management Insight LLC, November 2006
17:
149:
is a description of an IT related event that can lead to a business impact, when and if it should occur.
403:
429:
368:
288:
153:
82:
74:
152:
Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as
434:
103:
External environmental factors are, to a large extent, outside the control of the enterprise.
303:
24:
8:
298:
283:
111:
353:
348:
293:
278:
224:
167:
121:
IT capabilities—How good is the enterprise at performing the IT processes defined in
70:
66:
78:
176:
External to the organization (competitor, business partner, regulator, act of god)
410:
338:
343:
423:
358:
323:
269:
important not to confuse these risks or throw them into one large risk list.
36:
156:
or weaknesses. These are terms often used in risk management frameworks.
32:
61:(FAIR) is devoted to the analysis of different factors influencing
328:
143:
115:
62:
16:
This article is about
Information security. For other uses, see
128:
313:
122:
333:
108:
Capability of the organization, further subdivided in:
31:
is a collective name for circumstances affecting the
393:
ISACA THE RISK IT FRAMEWORK (registration required)
173:
Internal to the organization (employee, contractor)
421:
54:Factor Analysis of Information Risk § Risk
388:
386:
384:
422:
319:Information security management system
256:Timing of occurrence (critical or not)
97:Environmental, further subdivided in:
381:
364:Security service (telecommunication)
397:
59:Factor Analysis of Information Risk
13:
14:
446:
73:agent capability compared to the
137:
309:Information security management
42:
1:
374:
236:Infrastructure or facilities
18:Risk factor (disambiguation)
7:
272:
10:
451:
51:
15:
369:Vulnerability (computing)
289:Countermeasure (computer)
75:vulnerability (computing)
88:
230:People and organization
47:
216:Ineffective execution
162:is characterized by:
304:Information Security
25:information security
299:Computer insecurity
170:actor that can be:
409:2014-11-18 at the
284:Attack (computing)
112:IT risk management
430:Computer security
349:Threat (computer)
294:Computer security
239:IT infrastructure
219:Inappropriate use
442:
414:
401:
395:
390:
354:Security control
259:Timing to detect
79:security control
450:
449:
445:
444:
443:
441:
440:
439:
420:
419:
418:
417:
411:Wayback Machine
402:
398:
391:
382:
377:
339:Risk Management
275:
262:Timing to react
181:A threat type:
154:vulnerabilities
140:
91:
56:
50:
45:
35:or impact of a
21:
12:
11:
5:
448:
438:
437:
432:
416:
415:
396:
379:
378:
376:
373:
372:
371:
366:
361:
356:
351:
346:
344:The Open Group
341:
336:
331:
326:
321:
316:
311:
306:
301:
296:
291:
286:
281:
274:
271:
266:
265:
264:
263:
260:
257:
254:
248:
247:
246:
243:
240:
237:
234:
231:
222:
221:
220:
217:
214:
211:
208:
205:
202:
196:
195:
194:
191:
188:
185:
179:
178:
177:
174:
139:
136:
135:
134:
133:
132:
125:
119:
106:
105:
104:
101:
90:
87:
83:countermeasure
52:Main article:
49:
46:
44:
41:
9:
6:
4:
3:
2:
447:
436:
435:Risk analysis
433:
431:
428:
427:
425:
412:
408:
405:
400:
394:
389:
387:
385:
380:
370:
367:
365:
362:
360:
359:Security risk
357:
355:
352:
350:
347:
345:
342:
340:
337:
335:
332:
330:
327:
325:
324:ISO/IEC 27001
322:
320:
317:
315:
312:
310:
307:
305:
302:
300:
297:
295:
292:
290:
287:
285:
282:
280:
277:
276:
270:
261:
258:
255:
252:
251:
249:
244:
241:
238:
235:
232:
229:
228:
226:
223:
218:
215:
212:
209:
206:
203:
200:
199:
197:
192:
189:
186:
183:
182:
180:
175:
172:
171:
169:
165:
164:
163:
161:
160:Risk scenario
157:
155:
150:
148:
147:risk scenario
145:
138:Risk scenario
130:
126:
124:
120:
117:
113:
110:
109:
107:
102:
99:
98:
96:
95:
94:
86:
84:
81:(also called
80:
76:
72:
68:
64:
60:
55:
40:
38:
37:security risk
34:
30:
26:
19:
399:
267:
227:or resource
204:Modification
159:
158:
151:
146:
141:
92:
57:
28:
22:
245:Application
242:Information
210:Destruction
43:Definitions
29:risk factor
424:Categories
375:References
213:Bad design
201:Disclosure
187:Accidental
184:Malicious,
33:likelihood
131:processes
118:framework
407:Archived
273:See also
253:Duration
77:and the
329:IT risk
233:Process
193:Natural
190:Failure
144:IT risk
116:Risk IT
63:IT risk
198:Event
168:threat
129:Val IT
71:threat
69:, the
314:ISACA
279:Asset
250:Time
225:Asset
207:Theft
123:COBIT
89:ISACA
67:asset
334:Risk
48:FAIR
142:An
23:In
426::
383:^
166:A
39:.
27:,
413:;
20:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.