Selection and Application of Appropriate Analytical Methods Needed to Assess the Risks Reducing the Security of the Protected System

Abstract

Risk assessment is one of the prerequisites for understanding its causes and possible consequences. We base our risk assessment on the principles described in the European standard EN 31000 - Risk Management Process. This standard comprehensively describes the continuous activities that are necessary in managing risks and minimizing their possible adverse effects on the operation of the system under investigation. In this activity, it is necessary to first identify the existing risks, then analyze and evaluate the identified risks. In the analysis of existing risks, it is possible to use both qualitative and quantitative analytical methods, or combine them. We use qualitative methods in cases where we do not have a sufficient amount of input information, these are more subjective. Quantitative methods are more accurate, but also more demanding on input information and time. The choice of a suitable analytical method is a basic prerequisite for knowledge of risks and their evaluation. The values of individual risks obtained in this way are the basis for determining the measures that are necessary to minimize them, i.e., to adjust them to an acceptable level. The draft measures are always based on the value of the individual components used to calculate the risk number, as well as on the value of the asset , which needs to be protected. Appropriately chosen analytical methods are one of the basic prerequisites for the consistent application of the principles of risk management, as a continuous process aimed at increasing the overall security of the system under study. In the article, the author describes the procedures used in risk assessment, as well as specific analytical methods that can be used in working with risks. The aim of identifying risk factors is to create a list of events that could cause undesirable disruption to ongoing processes. At this stage, we define all the risks that will be subsequently analyzed and evaluated. When identifying, we can use methods such as, e.g. SWOT, PHA (Preliminary Hazard Analysis) or CA (Checklist Analysis). Methods suitable for determining the causes and creating scenarios for the course of a risk event are ETA (Event Tree Analysis) or FTA (Fault Tree Analysis). The basic analysis of the system can be performed using the FMEA method (Failure Mode and Effect Analysis), which provides a numerical risk assessment. By comparison with the numerical value of the risk that we are willing to accept, we obtain 2 groups of risks. Acceptable, which will be given regular attention and unacceptable, which we will focus on in risk management and we will try to minimize its negative affect on the functioning of the system under study.