Qualitative risk

Since most risks cannot always be calculated accurately, but some way of categorising risks is useful, we need a pragmatic solution:

Potential value of loss MediumDCB
 Low  Medium  High 
Tackle the A's first
Then the B's
Don't worry too much about the E's


CCTA's Risk Analysis and Management Methodology (CRAMM)

Identify and value

Identify threats (hazards) to groups of assets Identify vulnerabilities of groups of assets Assess level of risk from asset values and levels of threats and vulnerabilities

