Facilitated Risk Analysis Process (FRAP)

Though I prefer a quantitative risk analysis, such as Factor Analysis of Information Risk (FAIR), sometimes a quicker method, such as the Facilitated Risk Analysis Process (FRAP), a qualitative method is needed.

Qualitative methods are much quicker, they don’t require asset valuation, aside from a SWAG (Scientific Wild Ass Guess) and the following:

  • A brainstorming session to list threats,
  • The assignment of a simple probability (i.e. High/Medium/Low) to each threat,
  • The assignment of simple impact (i.e. High/Medium/Low) to each threat,
  • The identification of controls for the listed threats, and
  • A management summary.

Here is a SlideShow I found on the Facilitated Risk Analysis Process

Uploaded on SlideServe by undefined

http://www.slideserve.com/calantha/facilitated-risk-analysis-process-frap-adapted-from-tom-peltier-associates

This entry was posted in Security Blog and tagged , , , , , . Bookmark the permalink.