A multi-part blog piece by Brad Bemis suggesting the use of a simplified/standardized risk analysis process for the purposes of PCI-DSS led me to look into a quick/rough-cut information security risk assessment method based around just ten yes/no questions, that Brad recommends. The method's inventor, Ben Sapiro, calls it "Binary Risk Analysis" [BRA] to emphasize those yes/no choices, implying a degree of simplicity and objectivity to the method (although some have questioned that: forcing users to choose in this manner merely causes them to collapse or shoe-horn each of their subjective opinions into one of two boxes, which does not make them any less subjective, and if anything makes them more constrained). The ten questions in BRA lead the user through the process of evaluating the frequency and severity (albeit called "threat likelihood" and "threat impact"), key factors that are commonly used to evaluate risks.
It occured to me that it would be even quicker and easier, and in fact no less accurate, for a competent person to assess and plot the probability and impact elements of relevant incident scenarios directly.
Since Ben's method is "binary", I've called mine "Analog Risk Assessment" [ARA]!
I'm not saying analog is inherently better or worse than binary, just different. It happens to suit my way of thinking and, judging by the popularity of this blog item, others are similarly inspired. The colorful graphic (a metric) is an excellent way to consider and discuss risks in workshops etc., and to summarize the findings for management decisions, naturally focusing attention on risks in the red zone.
Whereas I've labeled the axes "Likelihood" and "Severity", you may prefer similar terms such as "Likelihood" and "Consequences" (reflecting the ISO/IEC 27000 definition "Level of risk: Magnitude of a risk expressed in terms of the combination of consequences and their likelihood”).
In the same spirit as Ben, I'm very happy for anyone to use ARA or develop it further under a Creative Commons license:
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.