RISK ANALISYS

Risk has been an element for the study of probability until the middle of the last century, when it was introduced in the more general theory of company organization (Organizational Theory). In fact, between the end of the eighteenth century and the beginning of the twentieth century the pioneers of bureaucratic, administrative, scientific, and humanistic management had never considered or cared about the analysis of risk components in corporate organizations. It was only during 1950s with the introduction of the principles of indeterminacy and contingency of chaos theory and the complex systems of organizational theory, after the end and through the experience of the Second World War, that risk analysis began to be taken into consideration.

Risk analysis identifies a set of techniques which use scientific data and statistical calculations to produce reliable estimates about the possibility of specific dangers in certain scenarios. It allows to quantitatively and qualitatively describe the probability and potential impact of some risks (risk evaluation), take decisions and propose alternatives/options for their control (risk management), and communicate to all subjects concerned the risk evaluation results and the actions to take (risk communication).

Therefore, risk analysis is a process based on three key components: risk management, risk evaluation, and risk communication. Risk is the element which guides project choices for products or services.

A more correct word with which to call risk analysis technique and evaluation is risk assessment. This is performed through the following steps:

1. Identification of the system to examine
2. Risk identification
3. Risk estimation
4. Risk evaluation
5. Possible actions to reduce risks
6. Attainment of tolerable risk, preparation of necessary information for users regarding residual risks, and if necessary preparation of adequate risk reduction measures.

Risk assessment is the determination of the qualitative and quantitative value for the risks correlated to particular situations or specific menaces. it can be applied in different contexts, such as computer safety, risk evaluation for health and safety at work, or risk evaluation for the payment methods in the bank sector.

Risk Assessment helps define the following elements:

• What and who should be protected, through the analysis of critical processes, the identification of assets, and the analysis of feared menaces.

• To what extent things and persons should be protected, through the estimation of impacts and the implementation of adequate countermeasures, in relation to the effective needs and the real risk levels detected.

By applying systematically the correct methodology, a series of advantages will be obtained indicated by the items below:

• Repeatability of analysis and results;

• Greater efficiency in analysis implementation;

• Greater completeness and cover of menaces;

• More independence of corporate functions.

The methodology for a correct management of information security should follow the steps indicated below:

• Risk analysis;

• Identifying security measures and preparing a plan for their implementation;

• Creating awareness and spreading security culture;

• Verifying security measures and adjusting them accordingly;

• Reporting, monitoring, and auditing.

In conclusion, a correct risk analysis is applied everywhere with the following goals: knowledge of risks, evaluation and intervention in critical areas, creation of safe systems which provide rapid solutions after entrusting experts with the evaluation of the risk, development of maintenance programs, use of risk as comparative parameter for the evaluation of alternative systems.