Creating Risk Scenarios

First of all, how do Risk Scenarios help us?

First of all Risk Scenarios are part of Risk Identification.

We can mention:

  • provide description of threat events which have uncertain impact,
  • conceptualizing risks which contributes to risk identification,
  • and simply documenting the risks.

Good Risk Scenario should include following elements.

  1. Description of an Actor or Threat Community.
  2. Description of an Intent or Motivation.
  3. Description of a Threat Event – what might cause a Security Incident?
  4. Description of an affected Asset or Resource.
  5. What was the effect of the impact? How much loss do we feel?
  6. Description of the timing and timeline.

In most of the cases Risk Scenarios development can use two models: top-down approach and bottom-up approach.

Top-down approach starts with business goals and the impact on those goals. It is well suited for general enterprise Risk Management strategy. The advantage is that it deals with objectives which had been already identified as important for an enterprise.

Bottom-up approach starts with individual enterprise situation. It focuses on technical proceedings or services. It gives more technical insight, however might not retain interest of higher management.

From the high-level perspective Risk Scenarios enable you to:

  • identify risks,
  • analyse those risks and their frequency and magnitude, and finally
  • evaluate those risks based risk evaluation criteria and risk acceptance criteria.

Remember!

Use generic scenarios as a starting point.
Deduce complex scenarios from simple ones.
Complex technical scenarios are best developed from the bottom-up.

Leave a Reply

Your email address will not be published.