What does risk mean? Briefly describe the difference between quantitative and qualitative risk analysis. Should risk be based on a true comprehensive risk assessment, or should risk be based on worst-case scenarios? Why? Finally, explain the difference between levels of analysis regarding assets or the portfolio or system-level assessment.
TEXTBOOK: Bennett, B. T. (2018). Understanding, assessing, and responding to terrorism: Protecting critical infrastructure and personnel (2nd ed.). Hoboken, NJ: John Wiley & Sons, Inc. ISBN: 9781119237785.
Risk is the measure of potential harm or loss that may result from an action, decision, or event.
Quantitative risk analysis relies on numerical and statistical techniques to quantify the probability of a given outcome. This approach focuses on quantifying the costs associated with possible outcomes and determining how likely they are to occur. Qualitative risk analysis uses more subjective methods such as interviews and surveys to assess risks in terms of their impact, likelihood, and severity.
Risk should be based on a comprehensive risk assessment that considers both worst-case scenarios as well as other factors such as environmental conditions and existing infrastructure capabilities. A true comprehensive assessment allows for flexibility when responding to changes in circumstances that may affect threat dynamics. It also offers greater accuracy than relying solely on worst-case scenarios which can lead to over preparation without providing additional insight into the actual risks posed by a given situation.
Asset level analysis looks at individual assets within a system while portfolio or system-level assessments look at all assets within an organization or sector simultaneously in order to assess collective risks across assets, systems, sectors etc.. Portfolio/system level assessments provide a holistic view of risks including those related to interdependencies between different elements of an organization’s operations thus allowing for improved understanding of overall systemic vulnerabilities and threats.