Ver:
·
Riesgo
Proceso que
permite comprender la naturaleza del riesgo y determinar el nivel de riesgo.
[UNE-ISO GUÍA 73:2010]
NOTA 1 El
análisis del riesgo proporciona las bases para la evaluación del riesgo y para
tomar las decisiones relativas al tratamiento del riesgo.
NOTA 2 El
análisis del riesgo incluye la estimación del riesgo.
[UNE-ISO/IEC 27000:2014]
Utilización sistemática de la información disponible
para identificar peligros y estimar los riesgos. [ENS:2010]
Proceso que permite comprender la naturaleza del riesgo
y determinar el nivel de riesgo. [UNE Guía 73:2010]
Proceso sistemático para estimar la magnitud de los
riesgos a que está expuesta una Organización. [Magerit:2012]
Estudio de los bienes, sus vulnerabilidades y las
probabilidades de materialización de amenazas, con el propósito de determinar
la exposición anual al riesgo de cada bien ante cada amenaza.
Puede ser cuantitativo, cuando esta exposición se expresa en unidades monetarias, o
cualitativo, cuando se expresa en una escala relativa de gravedad, por ejemplo
del 1 al 10. Dada la dificultad que entraña el cálculo preciso de las
probabilidades citadas, se suele elegir esta último.
[Ribagorda:1997]
process to comprehend the
nature of risk and to determine the level of risk [ISO Guide 73:2009]
NOTE 1: Risk analysis
provides the basis for risk evaluation and decisions about risk treatment.
NOTE: Risk analysis includes
risk estimation
[ISO/IEC 27000:2014]
process to comprehend the
nature of risk and to determine the level of risk. [ISO Guide 73:2009]
Examination of information
to identify the risk to an information system. [CNSSI_4009:2010]
A process by which frequency
and magnitude of IT risk scenarios are estimated. [RiskIT-PG:2009]
systematic examination of
the components and characteristics of risk
Annotation: In practice,
risk analysis is generally conducted to produce a risk assessment. Risk
analysis can also involve aggregation of the results of risk assessments to
produce a valuation of risks for the purpose of informing decisions. In
addition, risk analysis can be done on proposed alternative risk management
strategies to determine the likely impact of the strategies on the overall
risk.
DHS Risk Lexicon, September
2008
(I) An assessment process
that systematically (a) identifies valuable system resources and threats to
those resources, (b) quantifies loss exposures (i.e., loss potential) based on
estimated frequencies and costs of occurrence, and (c) (optionally) recommends
how to allocate available resources to countermeasures so as to minimize total
exposure. (See: risk management, business-case analysis. Compare: threat
analysis.) [RFC4949:2007]
An analysis of system assets
and vulnerabilities to establish an expected loss from certain events based on
estimated probabilities of occurrence. [TDIR:2003]
The process of identifying
the risks to system security and determining the probability of occurrence, the
resulting impact, and the additional safeguards that mitigate this impact. Part
of risk management and synonymous with risk assessment. [NIST-SP800-33:2001]
A documented assessment of
the potential risks and vulnerabilities to the confidentiality, integrity and
availability of ePHI, and an estimation of the security measures sufficient to
reduce the risks and vulnerabilities to a reasonable and appropriate level. Risk analysis involves determining what
requires protection, what it should be protected from, and how to protect it.
http://www.hipaa.yale.edu/overview/glossary.html
Risk analysis involves
analyzing target software for vulnerabilities and characterizing their nature
and potential impact. Microsoft calls this threat modeling. Risk analysis
attempts to identify, prioritize, and plan appropriate mitigation for the risks
facing a piece of software.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
processus mis en oeuvre
pour comprendre la nature d'un risque et pour déterminer le niveau de risque [ISO
Guide 73:2009]