RiskAssessment.adoc

By clicking on number 3, the following menu will appear:

Clicking on the link Estimation, evaluation and risk treatment will generate the main view of MONARC.

Evaluation and treatment of risks

The previous phase provided the impact criteria information; now it is necessary to evaluate threats and vulnerabilities in order to calculate risk levels.

Assessment of the probability of threats

If the threat assessment made while establishing context provided probabilities (see [Threats Assessment]), it is necessary to return to this screen to run all the threats of the model.

1. Prob.: Then, when reviewing the model’s risks, the default values may all be revised individually.

Assessment of vulnerabilities

2. The level of vulnerabilities depends directly on the existing controls. It is necessary to describe all these measures in a factual manner.

3. The qualification of the vulnerability can be set according to the existing controls.

Risk processing

4. Processing risks in MONARC, by clicking on Not treated, involves, in similar fashion to ISO/IEC 27005, making a decision so as to process. There are four ways to process the risk:

   • Accept: The risk is accepted in its current form. No additional action will be initiated.

   • Modify/reduce: Measures are put in place to reduce the risk to an acceptable level. The reduction level is then evaluated in order to calculate the residual risk.

   • Share: in the case of insurance, for example. This type of processing is specific, as it tends to reduce the risk impact and not the vulnerability. The residual risk cannot be calculated.

   • Deny: The cause of the risk is eliminated; after processing, the risk must not longer be present.

Note	It is also possible to add a recommandation to implement see Risk information sheet in user guide.

Risk treatment plan management

All risks covered by one of the four procedures described above are registered in the risk management plan, irrespective of whether they are information risks or operational risks. The calculation formula is not the same for both types of risk; therefore, it is the importance of the recommendations which establish the order of risk. Nevertheless, it is possible to reset the order of the risk processing plan before generating the final deliverable.

Deliverable: End report

The deliverable contains a complete list of all the information gathered and entered in MONARC, including that contained in the two previous deliverables. A form has to be filled in. Moreover, it is possible to add a summary of risk evaluation. When the user clicks on Save, a file in Word format is generated.