IT Examiner School - Oct 2025

Internal Use Only

Step 3 – Analyze Risk, Likelihood, and Impact

Risk Ranking & Scoring Methodology • Likelihood (1–5): 1 – Rare / 3 – Possible / 5 – Highly Probable • Consider: threat actor capability, exploitability, past incidents • Impact (1–5): 1 – Minimal / 3 – Moderate / 5 – Severe breach or penalty • Consider: Confidentiality, Integrity, Availability, legal & reputational harm • Risk Rating: High ( ≥ 4), Medium (3), Low ( ≤ 2) • Examiners expect documented, repeatable scoring method

Internal Use Only

Qualitative and Quantitative Explained

Qualitative Analysis: Focuses on subjective assessment of risk levels. Uses categories like High, Medium, Low. Easier to implement, good for quick evaluations. Common Exercises: • Risk Assessment Workshops • Scenario Analysis • Expert Judgment Evaluations

Quantitative Analysis: Focuses on numerical assessment of risk. Uses data, metrics, and financial impact estimates. Provides detailed cost-benefit analysis for decision-making. Common Exercises: • Single Loss Expectancy (SLE) • Annual Loss Expectancy (ALE) • Cost-Benefit Analysis

When to Use Each: Qualitative : Early-stage analysis or when data is limited. Quantitative : For in-depth analysis and budget justification.