This process begins with an examination of the risk sources (threats and vulnerabilities) for their positive and negative consequences.
After evaluating each of these attributes, risk can be ranked according to likelihood and impact. Information used to estimate impact and likelihood usually comes from:
• Past experience or data and records (e.g., incident reporting)
• Reliable practices, international standards or guidelines
• Market research and analysis
• Experiments and prototypes
• Economic, engineering or other models
• Specialist and expert advice
Finally, existing controls and other mitigation strategies are evaluated to determine the level and effectiveness of risk mitigation currently in place and identify deficiencies and gaps that require attention. A risk response workflow is shown in exhibit 4.2.