风险评估分为quantitative和qualitative两种：

• Quantitative 量化评估: 给风险评估中的数据元素加入量化的金钱、数值，例如“客户数据价值100万，保护手段价值1万, 每年损失概率为0.07”
• Qualitative 质化评估：通过基于主观性的方法进行风险分析。例如将客户数据价值估计为重要(Critical)，保护手段投入中等(medium)，损失概率较小（not likely )

Quantitative Concepts

损失估计不应当局限于灾害本身，应当将灾害发生后恢复影响花费的时间考虑在内。以携程几年前的服务中断为例，灾害本身造成的数据丢失等并非损失的全部，甚至并非主要部分，灾害发生直到恢复原状，企业所遭受的损失都应当计算在内

• Single Loss Expectancy(SLE) : 单次损失估计，当一个特定的弱点被利用一次时，对单项资产产生的影响。
  SLE = Asset Value * Exposure Factor
• Annualized Loss Expectancy(ALE): 年化损失估计
  ALE = SLE * ARO

Qualitative Concepts

• Uncertainty analysis Assigning confidence level values to data elements
• Delphi method Data collection method that happens in an anonymous fashion

Other Key Items

• Cost/benefit analysis Calculating the value of a control (ALE before implementing a control) - (ALE after implementing a control) - (annual cost of control) = value of control
• Functionality versus effectiveness of control Functionality is what a control does, and its effectiveness is how well the control does it.
• Total risk Full risk amount before a control is put into place. Threats * vulnerabilities * assets = total risk
• Residual Risk Risk that remains after implementing a control. Threats * vulnerabilities * assets * (control gap) = residual risk
• Handling risk Accept, transfer, mitigate, avoid
  • Accept 明白并接受风险可能造成的后果，采取这一决策必须明白其后果，并知道发生这些风险时应当怎样进行灾难恢复
  • Transfer 转移风险，例如花钱购买保险，当风险发生时，就可以从保险公司获得补偿。
  • Mitigate 降低风险，例如为员工电脑安装杀毒软件和防火墙，降低被入侵的风险
  • Avoid 避免风险，通过一些方案杜绝某些危险。例如采用HTTPS代替HTTP，就避免了用户传输的敏感信息被监听的风险