Risk assessment is a major process that contributes a lot to the success of a software system or application. The less is the risk associated with the software system or application the more successful and error free it is.
“Risk assessment is actually a part of a bigger process called the risk management procedure. It can be either quantitative or qualitative determination of the risk that is associated with some recognized hazard or thread or concrete situation”.
However, in this article we are going to have a specific talk about the quantitative risk assessment. This type of risk assessment typically involves making calculations regarding the following two components of the risk:
1. Magnitude of the potential loss denoted by L
2. Probability that the loss will occur denoted by p.
Many types of sophisticated risk assessments are involved with the engineering of the complex software systems and applications. Such sophisticated risk assessments are carried out with help of engineering types such as:
1. Reliability engineering and
2. Safety engineering
The above mentioned two engineering are used whenever it is thought that the risk is related to environment, threats to life or machine functioning. There are various areas where the risk assessments are carried out on a continuous basis such as:
3. Food industries
8. Military and so on.
Different industries make use of different methods for risk assessments pertaining to their environmental, public health risk assessment, ecological, general final decisions and so on.
– Now coming to our discussion about the quantitative risk assessments, they involve making calculations on the SLE or single loss expectancy of a particular asset.
– Single loss expectancy (SLE) is nothing but the loss of value to an asset based up on one single security incident. – The step after this involves the calculation of the ARO or annualized rate of occurrence or ARO regarding the threat posed to the asset.
– The annualized rate of occurrence is just an estimate based up on the data indicating the probability of to what extent the vulnerability of the software can be exploited.
– This data is again used for determining the ALE or annualized loss expectancy.
– This is actually the calculation of the annual rate of occurrence multiplied by the single loss expectancy.
Sometimes it also includes estimation by an organization regarding the loss from an asset from the following things:
2. Threats and
– All this makes easy to justify the implementation of the counter measures for protecting the assets of whole of the expenditures and that too from a financial perspective.
– There are two things of software testing which are quite prone to error and they are:
1. Requirements and
2. Design specifications
– This is commonly observed in the software projects that particularly involve a number of stake holders who have different perceptions regarding the software system or application.
– An iterative approach is offered by the evolutionary software processes for requirements engineering in order to alleviate the problems concerning aspects such as:
3. Ambiguity and so on.
Despite its many advantages the quantitative risk assessment has faced much criticism.
– Several critics including Brian Wynne and Barry Commoner have expressed their concern regarding the quantitative risk management saying that it is actually overly reductive as well as quantitative.
– They also argued on qualitative differences among risks not being considered in the quantitative risk management.
– Some other charges have been put up on the quantitative risk management such as inaccessible information or important non – quantifiable information might be dropped out by the assessments.
– Further, it was claimed by O’Brien quantitative approaches take away the attention from preventative or precautionary measures.
– Risk managers are considered more like blind users of statistical methods and tools.