[unisog] Risk analysis

Leigh Vincent l.vincent at ballarat.edu.au
Tue Feb 21 04:48:17 GMT 2006


Ok.  The calculation goes like this..........

You give each "Risk":
a value between 1 and 7 for Adequacy of Existing Controls (1 being
excellent & 7 being None)
a value between 1 and 5 for Likelihood of the Risk occurring (1 being
May never occur & 5 being Is expected to occur)
a value between 1 and 5 for Impact / Consequence (1 being Minimal to no
impact on users & 5being Total Destruction)

So for a terrorist attack we had:
Existing Controls: 7 (None)
Likeilhood: 2 (Could occur at some time)
Impact: 5 (Total Destruction of services)

Now for the maths: ( ( 7 x Existing Control) + ( 3 x Likelihood) + (4 x
Impact)) / 84

Now don't ask me how this figures were derived but they are as per the
australian Standards for Risk Management.

So our overall Risk Factor Rating was 0.9

Does that help???

>>> rudolph at usyd.edu.au 02/21/06 3:02 pm >>>
On Tue, Feb 21, 2006 at 02:18:20PM +1100, Leigh Vincent wrote:
> >From this we established the a Terrorist attack was our number one
risk
> mainly be cause there are no existing controls.  The next few were
> things like service packs, patch updates, portable devices,
ignorance
> etc etc etc. We actually have a list of 21 possible risks.
Excuse my incredulity (I am no risk analyst), but would you be able to
share the
reasoning/calculations showing that a terrorist attack was on the top
of
your list?


More information about the unisog mailing list