week 13

K1.13 Approaches and tools for the analysis of threats and vulnerabilities:

To protect digital systems effectively, organisations must analyse the threats and vulnerabilities they face. This helps them decide what to prioritise, what action to take, and how much risk is acceptable.

There are two main approaches to risk analysis and a range of tools used to support each one.

Risk Analysis Approaches

Qualitative Risk Analysis – Non-numerical Approach

This method focuses on describing risks and ranking them based on expert judgement, opinion, and relative severity rather than numbers.

How it works:

• Each risk is assessed using a RAG rating:

  • 🔴 Red – High risk (needs immediate action)

  • 🟠 Amber – Medium risk (monitor and plan control)

  • 🟢 Green – Low risk (no immediate action needed)

Example:

If a risk could seriously damage reputation but is unlikely, it may still be rated Amber due to the high impact.

Used when:

• There's limited numerical data

• Decisions need to be made quickly or visually

Quantitative Risk Analysis – Numerical Approach

This approach uses numbers, data, and formulas to calculate the cost, likelihood, and effect of risks. It gives more precise information for financial or technical decisions.

How it works:

• Assign values to:

  • Probability (% chance of risk)

  • Impact (e.g. financial loss, time delays)

• Calculate potential loss, downtime, or resource usage

Example:

“If a cyberattack has a 25% chance per year of causing £40,000 in damage, the annual expected loss is £10,000.”

Used when:

• There’s enough data and resources to support detailed analysis

• Results are needed for budgeting, insurance, or audit purposes

Tools for Threat and Vulnerability Analysis

Below is a breakdown of key tools used in both qualitative and quantitative approaches.

Part 1Approaches to Analysing Threats and Vulnerabilities
In pairs discuss the approches available (qualitative and quantitative) you will then be assigned one or more of the tools for Analysing Threats and Vulnerabilies, with this pairing use the discussion points provided. At the end of the discussion you will present (Verbally) your thoughts and views to the rest of the group.


Qualitative vs Quantitative Analysis
Discussion Prompts:
What are the advantages of using qualitative analysis (e.g. RAG ratings) in fast-paced business environments?
Why might some organisations prefer quantitative analysis when managing high-risk systems (e.g. financial or healthcare sectors)?
In what scenarios is it useful to combine both approaches?
How could relying only on opinion (qualitative) lead to biased risk prioritisation?
How might limited access to data make quantitative analysis harder?

Part 2 Approaches to Analysing Threats and Vulnerabilities
Discussion Points: Tools for Threat & Vulnerability Analysis

Fault Tree Analysis (FTA)
Discussion Prompts:
How does visually mapping failure chains help organisations understand risk better?
Can FTA be used for both technical systems (e.g. servers) and human behaviours (e.g. clicking phishing emails)?
What are the limitations of this tool in complex IT environments?

Impact Analysis
Discussion Prompts:
How do we measure the impact of a threat that affects reputation but not money?
Should emotional or public confidence factors be included in impact analysis?
Can impact analysis help justify spending on cyber security to senior management?

Failure Mode Effect and Criticality Analysis (FMECA)
Discussion Prompts:
Why is it important to think about the probability, consequences, and detectability of a failure?
How useful is FMECA in planning system maintenance or upgrades?
What challenges exist when applying FMECA to software or cloud-based environments?
​​​​​​​
Annualised Loss Expectancy (ALE)
Discussion Prompts:
How accurate do you think ALE is when predicting financial loss from cyber threats?
How could ALE be used when budgeting for cyber security defences?
Can ALE help organisations choose between different security technologies?
​​​​​​​
CRAMM (CCTA Risk Analysis and Management Method)
Discussion Prompts:
Why might a government-developed tool like CRAMM be more trusted in public sector environments?
Is CRAMM too complex for small organisations, or can it be simplified?
How might CRAMM differ from general commercial risk analysis tools?

​​​​​​​SWOT Analysis
Discussion Prompts:
How can identifying opportunities and strengths help in a risk analysis session?
Should SWOT analysis be updated regularly, and by whom?
What are the dangers of overestimating strengths or ignoring weaknesses?

Risk Register
Discussion Prompts:
What are the benefits of having a “living document” that tracks risk?
Who should be responsible for updating the risk register – IT team, management, or everyone?
How can the RAG ratings in a risk register help teams plan actions?

Risk Matrix
Discussion Prompts:
How can a simple 3×3 or 5×5 risk matrix make complex risk decisions easier to understand?
What are the risks of subjectivity when assigning probability and impact levels?
How might teams disagree on the severity of risks—and how can they resolve those differences?

Extension Task:
​​​​​​​Select two tools or approaches and respond to:
- Where would you use each tool?
- Which is more useful in an organisation with limited staff and budget?
- Which helps best with long-term planning?

Last Updated
2025-07-14 09:43:54