Though I prefer a quantitative risk analysis, such as Factor Analysis of Information Risk (FAIR), sometimes a quicker method, such as the Facilitated Risk Analysis Process (FRAP), a qualitative method is needed.
Qualitative methods are much quicker, they don’t require asset valuation, aside from a SWAG (Scientific Wild Ass Guess) and the following:
- A brainstorming session to list threats,
- The assignment of a simple probability (i.e. High/Medium/Low) to each threat,
- The assignment of simple impact (i.e. High/Medium/Low) to each threat,
- The identification of controls for the listed threats, and
- A management summary.
Here is a SlideShow I found on the Facilitated Risk Analysis Process
Uploaded on SlideServe by undefined
http://www.slideserve.com/calantha/facilitated-risk-analysis-process-frap-adapted-from-tom-peltier-associates