This chapter describes how risk analysis is a phenomena or methodology which is considered to be an amalgamation of various contexts to analyze and reach upon a conclusion about the fragility, vulnerability, flaws, defects, possible threats and dangers, which a particular software or system is prone to. It is an organization-level decision support tool which helps in gathering all sorts of data. That data, further, helps in arriving at a conclusion about how fragile or vulnerable a particular system is. Being a risk analyst, possessing deep knowledge, requires that one will analyze all possibilities of any risk, possible in any form, limitations of every risk assessment technique being applied and finally, the practical possibility or possible outcome of a particular risk-calculation strategy applied in a real-time environment.
TopIntroduction
Risk analysis is generally considered as a “black art”— part mathematics and part fortune telling. Effective risk analysis, though, is a business-rank conclusion-aid tool. It is, actually, an efficient way of accumulating the required data, so that an effective decision can be generated, totally based on the knowledge of fragility or vulnerability, danger or threats, impacts, influences or effects and equally important, possibility of any particular risk.
All well acknowledged methodologies for risk analysis hold certain pros and cons, but nearly, every methodology, possess a part of brilliant principles and a part of certain limitations or restrictions.
What contributes in differentiating, an exceptional risk analysis technique from an ordinary one is, its capability to apply well-established definitions of risks to a particular software design and obtain absolute mitigating requirements.
For an iterative risk analysis, a high ranking strategy, being used, should be thoroughly amalgamated all around, the Software Development Life Cycle Model (McGraw, 2004). Figure- 1 below, provides a through view of the specific areas, in Software Development Life Cycle Model, which are our target or focus areas i.e. suppose if we are considering risk analysis, the focus will be on the specific parts of the cycles for examining the risk involved.
Figure 1.
Risks in the software development life cycle
TopStandard Nomenclature
Various methods for risk analysis split into two major portions or categories:
- 1.
Commercial Based Risk Analysis: Prominent examples of Commercial Based Risk Analysis are Insight’s CRAMM, Sun’s ACSM/SAR, Microsoft’s STRIDE, and Cigital’s SQM, etc.
- 2.
Standards- Based Risk Analysis: There are many examples such as Software Engineering Institute’s OCTAVE, etc.
It would be out of scope to have deep rooted discussion about every prevailing Risk Analysis Methodology. Still, we will be gazing into the fundamental approaches, general feature and characteristics, advantages and limitation and the strength and weaknesses of various Risk calculating techniques.
All existing, well established, Risk assessing Techniques differ from one another and has a unique tactic to calculate the possibility of risk involved. Every approach involves different perspective and instances of different techniques available are:
- 1.
Function loss methodologies tend to make available a loss figure, which balances up for the cost involved for implementation of different controls.
- 2.
Risk Ratings are derived mathematically, equating risks with random classifications of risk or threat, possibility or probability and also impact or the effect.
- 3.
Qualitative assessment Technique calculates risk factor that is based on certain knowledge or information or facts.
Although each basic technique has distinct merits and demerits, but some of the fundamental values or elements are common, which are shared by almost every technique while calculating the risk factor involved during a software design. The common definitions, defining these elements are:
Asset also known as an object can have many forms i.e. it can possibly a system component or a complete system by itself or even any sort of data.
Risk can be defined as the possibility or probability for the asset to suffer a negative impact or unsuitable circumstances. The risk factor or the negative impact can be calculated considering various factors which are
- •
The ease with which an attack can be executed
- •
Resources, that are available and the motivational force working for the attacker.
- •
The present fragile state of the system
- •
Cost involved and extent of effect of the final result.