Quantitative analysis Assigns real numbers or dollar amounts to the costs of countermeasures and the amount of damage that can occur. Pure quantitative risk analysis is not possible.
Qualitative analysis Looks at different scenarios of risk possibilities and ranks the seriousness of the threats and the sensitivity of the assets.
EF (exposure factor) = Percentage of an asset loss caused by an identified threat
SLE (single loss expectancy) = Asset value Exposure factor
ALE (annualized loss expectancy) = Single loss expectancy Annualized rate of occurrence
Risk reduction Implements a countermeasure to alter or reduce the risk
Risk transference Purchases insurance to transfer a portion or all of the potential cost of a loss to a third party
Risk acceptance Deals with risk by accepting the potential cost and loss
Risk rejection Pretends risk doesn't exist and ignores the risk
Policies General statements produced by senior management
Standards Tactical documents that are more specific than policies
Guidelines Point to a statement in a policy or procedure by which to determine a course of action
Procedures The lowest level in the policy that provide step-by-step instructions to achieve a certain task