Process 2: Consolidate and Prioritize Perspectives
The information gathered in Phase 1 is systematically analyzed in this phase to create a profile of each risk. Each risk profile is digested into a risk statement that serves as the foundation for developing mitigation strategies in Phase 3.
Step 1: Identify the most significant risks.
Information collected during the Phase 1 interviews, together with the analysis of policies, reports, technical data and other documentation in Process 1 of this phase, are used in this step to prioritize risks. Of the most critical assets, identify which are vulnerable to threats that would have the most significant impact on this institution if exploited.
- Rank assets identified in Phase 0 according to their criticality.
- For a few of the most critical assets, pair the threats (determined in Phase 1 interviews) with the vulnerabilities (Phase 1 interviews and Phase 2, Process 1) they are most likely to exploit.
- Rank the threat-vulnerability pairs according to the impact (Phase 1 interviews) that would result if the vulnerability was exploited.
- For the highest impact threat-vulnerability pairs, determine which safeguards are missing (Phase 1 interviews).
- Repeat these steps for any asset dependencies.
#Top of page
Process 2: Consolidate and Prioritize Perspectives
Step 2: Create profiles that show a consolidated view of each risk.
Based on the analysis in Step 1, create profiles for three to five of the most significant risks.
- Identify the assets affected and their criticality.
- Identify the vulnerabilities associated with these assets.
- Identify the threats likely to exploit the vulnerabilities and estimate the likelihood that they will be successful.
- Quantify the impact significance if the threats exploit the vulnerabilities.
Here is an example of a risk profile:
Asset: |
Student records |
Vulnerability: |
Student records stored on laptops are vulnerable to loss and theft. |
Threat probability: |
Because laptops are small and portable, they could be easily lost or stolen. |
Threat impact: |
The impact of the loss or theft of a laptop containing student records might be significant. The privacy of student records are protected by federal law. University policy requires that notifications be sent to individuals who's records are exposed. Notification can cost an average of $200 per individual. Depending on the number of student records exposed, the incident could draw media attention. Media attention could negatively impact the university's reputation resulting in reduced enrollment, donations, and funding. |
Process 2: Consolidate and Prioritize Perspectives
Step 3: For each risk profile, compose a risk statement.
The risk statement summarizes the risk profile and quantifies the risk. Mitigation strategies developed in Phase 3 will directly address the risk statement composed in this step.
Here is an example of a risk statement:
The risk that student records stored on laptops could be exposed to unauthorized individuals is significant because laptops are easily lost or stolen. Depending on the number of student records exposed, notifications and associated expenses could be very high. Media attention resulting from student record exposures would negatively impact the reputation of ABC College, which could result in reduced enrollment, donations and other funding.
Previous process, last step: Phase 2, Process 1, Step2
Next process, first step: Phase 3, Process 1, Step 1
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).