Risk Analysis

From CIPedia
Jump to: navigation, search

Definitions

European Definitions

Council of Europe

Risk analysis is the determination of the likelihood of an event (probability) and the consequences of its occurrence (impact) for the purpose of comparing possible risks and making risk management decisions. [1]

Council Directive 2008/114/EC

The consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure. [2]

ENISA

Risk Analysis is the systematic use of information to identify sources and to estimate the risk (refers to ISO/IEC Guide 73). [3]

European Project Definitions

CIPRNet project

The CIPRNet project [4] uses the following definition:

Risk analysis is the process to comprehend the nature of risk and to determine the level of risk.



National Definitions

Australia

Risk analysis is a systematic use of available information to determine how often specified events may occur and the magnitude of their likely consequences. [5]

Process to comprehend the nature of risk and to determine the level of risk. [6]

Austria

Risikoanalyse die Prüfung relevanter Bedrohungsszenarien, um die Schwachstellen und mögliche Auswirkungen einer Störung oder Zerstörung kritischer Infrastrukturen zu bewerten. [7]


Belgium

Risicoanalyse: bestudering van relevante dreigingsscenario’s om de kwetsbaarheid en de mogelijke gevolgen van de verstoring of vernietiging van kritieke infrastructuur te beoordelen. [8]


Analyse de risques: examen des scénarios de menace pertinents destiné à évaluer les vulnérabilités d’infrastructures critiques et les impacts potentiels de leur arrêt ou destruction. [9]


Bosnia and Herzegovina

Analiza rizika je proces razumijevanja prirode rizika i utvrđivanja nivoa rizika. (ISO 31010) [10]


Brazil

Análise de riscos: análise e avaliação das vulnerabilidades das redes e dos sistemas que suportam a oferta de serviços, fundamentadas na hierarquização dos elementos necessários à prestação dos serviços. [11]

Análise de riscos: Identificação e avaliação tanto dos tipos de ameaça como dos elementos em risco, dentro de um determinado sistema ou região geográfica definida. [12]


Bulgaria

анализ на риска означава отчитане на съответните сценарии за действие при различни заплахи, с цел да се направи оценка на уязвимостта и на потенциалните последици от наруша¬ ването или унищожаването на критична инфраструктура. [13]


Canada

A process to comprehend the nature of a risk and to determine its level. [14]

Processus mis en œuvre pour comprendre la nature d’un risqué et pour déterminer son niveau. [15]


Colombia

Análisis de Riesgos: El análisis de riesgos establece una valoración y una priorización de los riesgos, determina el impacto y la probabilidad del riesgo. Dependiendo de la información disponible pueden emplearse desde modelos de simulación, hasta técnicas colaborativas. [16]


Croatia

Analiza rizika označava razmatranje mogućih scenarija prijetnji kako bi se ocijenile ranjivosti i mogući učinak poremećaja u radu kritične infrastrukture ili njezina uništenja. [17]

Risk analysis indicates consideration of possible scenarios of threats to evaluate the vulnerability and the potential impact of disturbances in the critical infrastructure or its destruction.


Analiza rizika znači razmatranje odgovarajućih scenarija opasnosti kako bi se ocijenile slabosti i mogući učinak poremećaja u radu ili uništenja kritične infrastrukture. [18]


Cyprus

Ως «ανάλυση κινδύνων» νοείται η ανάλυση των σχετικών σεναρίων περί απειλών, προκειμένου να αξιολογηθούν τα τρωτά σημεία και οι δυνητικές επιπτώσεις της διακοπής λειτουργίας ή της καταστροφής υποδομών ζωτικής σημασίας.[19]

(equals EU definition)


Czech Republic

Proces pochopení povahy rizika a stanovení úrovně rizika. [20]

Process of understanding the nature of risks and establishing a risk level. [21]


Analýzou rizik zvážení relevantních scénářů hrozeb s cílem posoudit zranitelnost a možný dopad narušení nebo zničení kritické infrastruktury. [22]


Denmark

Risikoanalyse: overvejelse af relevante trusselsscenarier for at vurdere sårbarheden og de potentielle konsekvenser af, at kritisk infrastruktur afbrydes eller ødelægges. [23] [24]

Risikoanalysen fastlægger, hvad det kræver for redningsberedskabet at håndtere de identificerede risici gennem to trin, scenarieanalyse og kapacitetsanalyse. [25]


El Salvador

Análisis de riesgo: En su forma más simple es el postulado de que el riesgo es el resultado de relacionar la amenaza y la vulnerabilidad de los elementos expuestos, con el fin de determinar los posibles efectos y consecuencias sociales, económicas y ambientales asociadas a uno o varios fenómenos peligrosos. Cambios en uno o más de estos parámetros modifican el riesgo en sí mismo, es decir, el total de pérdidas esperadas y consecuencias en un área determinada. [26]


Estonia

Riskianalüüs” – asjakohaste ohustsenaariumitega arvestamine, eesmärgiga hinnata haavatavust ning elutähtsate infrastruktuuride kahjustada saamise või hävimise võimalikku mõju. [27]


Finland

Riskianalyysi: toiminta, jossa tunnistetaan riskit ja arvioidaan vahinkotapahtuman todennäköisyys sekä odotettavissa olevat vahingot.

Risk analysis is the action for identifying risk and estimating the probability of a damaging event as well as anticipated damages. -unofficial translation- [28]

Riskianalyysillä asiaa koskevien uhkakuvien tarkastelua elintärkeän infrastruktuurin haavoittuvuuden ja sen vahingoittumisen tai tuhoutumisen mahdollisten seurausten arvioimiseksi. [29]


France

Analyse de risques: examen des scénarios de menace pertinents destiné à évaluer les vulnérabilités d’infrastructures critiques et les impacts potentiels de leur arrêt ou destruction. [30]


Germany

Risikoanalyse die Prüfung relevanter Bedrohungsszenarien, um die Schwachstellen und mögliche Auswirkungen einer Störung oder Zerstörung kritischer Infrastrukturen zu bewerten. [31]

Risikoanalyse ist die systematisches Verfahren zur Bestimmung der Eintrittswahr scheinlichkeit eines bestimmten Schadens an einem Schutzgut unter Berücksichtigung des potentiellen Schadensausmaßes. [32]

Risikoanalyse: Hierunter ist ein systematisches Verfahren zur Bestimmung des Risikos zur verstehen. [33]

Risikoanalyse ist der komplette Prozess um Risiken zu beurteilen (identifizieren, einschätzen und bewerten) sowie zu behandeln. [34]


Greece

Ως «ανάλυση κινδύνων» νοείται η ανάλυση των σχετικών σεναρίων περί απειλών, προκειμένου να αξιολογηθούν τα τρωτά σημεία και οι δυνητικές επιπτώσεις της διακοπής λειτουργίας ή της καταστροφής υποδομών ζωτικής σημασίας.[35] [36]

(equals EU definition)


Hungary

Kockázatelemzés: a vonatkozó fenyegetettségi forgató¬ könyvek vizsgálata a kritikus infrastruktúrák sebezhetősé¬ gének, valamint a megzavarásuk vagy megsemmisítésük által okozott potenciális hatásnak az értékelése céljából. [37]


India

Risk analysis is the process of identifying security risks, determining their magnitude, and identifying areas needing safeguards. [38]


Ireland

Risk analysis means consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure. [39]


Italy

Analisi dei rischi: valutazione della vulnerabilita' di una ICE rispetto alle diverse possibili minacce e prevedibili conseguenze del danneggiamento o distruzione della stessa, in termini di effetti negativi esterni e intrinseci. [40] [41]


Latvia

Apdraudējumu analīze ir apsvērumi par attiecīgiem apdraudējuma scenārijiem, lai izvērtētu neaizsargātības pakāpi un ietekmi, ko varētu radīt kritiskās infrastruktūras darbības traucējumi vai tās iznīcināšana. [42]


Lithuania

Rizikos analizė – atitinkamų grėsmės scenarijų nagrinėjimas, siekiant įvertinti ypatingos svarbos infrastruktūros objekto pažeidžiamumą ir veikimo sutrikdymo arba sunaikinimo galimą poveikj. [43]


Luxembourg

Analyse de risques: examen des scénarios de menace pertinents destiné à évaluer les vulnerabilities d'infrastructures critiques et les impacts potentiels de leur arrêt ou destruction. [44] [45]

Malta

Analiżi tar-riskju tfisser il-konsiderazzjoni ta’ xenarji ta’ theddid relevanti, sabiex tiġi valutata l-vulnerabbiltà u limpatt potenzjali ta’ interuzzjoni jew qerda ta’ infrastruttura kritika. [46]


Morocco

Analyse des risques: Ensemble des activités coordonnées visant à diriger et piloter un organisme vis-à-vis du risque afin d’améliorer la sécurisation des SI, de justifier le budget alloué à la sécurisation du SI et prouver la crédibilité du système d’information à l’aide des analyses effectuées. [47]

Risk analysis: A set of coordinated activities aimed at directing and managing an organization with regard to risk in order to improve the security of IS, to justify the budget allocated to securing the IS and to prove the credibility of the information system Using the analyzes performed.

Analyse des risques: Utilisation systématique d’informations pour identifier les sources et pour estimer le risque. [48]


Netherlands

Risk analysis is a method which takes stock of the risk, which risk factors are unacceptable, and which measures can mitigate the risk.

Risicoanalyse is een methode die inventariseert welke risico's er zijn, welke daarvan onacceptabel zijn en welke maatregelen de risico's kunnen reduceren. [49]

Risicoanalyse: bestudering van relevante dreigingsscenario’s om de kwetsbaarheid en de mogelijke gevolgen van de verstoring of vernietiging van kritieke infrastructuur te beoordelen. [50]

[Dutch] Risicoanalyse is het proces van begrijpen en duiden van het risico en het vaststellen van de risico’s en de zwaarte daarvan. [51]


[HEALTH sector]
Risicoanalyse: Een proces dat bestaat uit drie componenten: risicoschatting, risicomanagement of manipulatie en risicocommunicatie.

Risk analysis: A process consisting of three components: Risk assessment, risk management and risk communication). [52]


Peru

Análisis de Riesgos: Procedimiento técnico, que permite identificar y caracterizar los peligros, analizar las vulnerabilidades, calcular, controlar, manejar y comunicar los riesgos, para lograr un desarrollo sostenido mediante una adecuada toma de decisiones en la Gestión del Riesgo de Desastres. [53]
El Análisis de Riesgo facilita la determinación del nivel del riesgo y la toma de decisiones.

Philippines

Risk Analysis – Is the process of identifying the risks to system security and determining the likelihood of occurrence, the resulting impact, and the additional safeguards that mitigate this impact. [54]


Poland

Analiza ryzyka oznacza uwzględnianie stosownych metod postępowania w przypadku zaistnienia zagrożeń, aby ocenić słabe punkty i potencjalne skutki zakłócenia lub zniszczenia infrastruktury krytycznej. [55]


Portugal

Análise de risco, a ponderação dos cenários de ameaça relevantes, a fim de avaliar a vulnerabilidade e o potencial impacto da perturbação ou destruição de uma infra-estrutura crítica. [56]


Romania

Analiză de risc înseamnă analizarea scenariilor de amenințări semnificative, pentru a evalua vulnerabilitatea și impactul potențial al perturbării sau al distrugerii infrastructurii critice. [57]


Slovakia

Analýza rizík je zváženie relevantných scenárov hrozieb s cieľom posúdiť zraniteľné miesta a potenciálny vplyv naru¬ šenia alebo zničenia kritickej infraštruktúry. [58]

Analýza rizík: Proces podrobnej identifikácie rizík, určovania ich zdrojov a veľkosti, skúmania ich vzájomných vzťahov a predpovedania rozsahu negatívneho vplyvu na systém v prípade vzniku krízovej situácie. [59]


Slovenia

Analiza tveganja pomeni obravnavo ustreznih scenarijev nevarnosti, da se ocenijo šibke točke in morebitne posledice okvare ali uničenja kritične infrastrukture. [60]


Spain

Análisis de riesgos, el estudio de hipótesis de amenazas posibles, para evaluar las vulnerabilidades y las posibles repercusiones de la perturbación o destrucción de infraestructuras críticas. [61]

Análisis de riesgos: el estudio de las hipótesis de amenazas posibles necesario para determinar y evaluar las vulnerabilidades existentes en los diferentes sectores estratégicos y las posibles repercusiones de la perturbación o destrucción de las infraestructuras que le dan apoyo. [62]


Sweden

Riskanalys: övervägande av relevanta hotbilder, för att bedöma sårbarhet och potentiella konsekvenser av driftsstörning eller förstörelse av kritisk infrastruktur. [63]


Switzerland

Die Risikoanalyse erfasst und beschreibt systematisch die Risiken in einem betrachteten System. [64]

Dazu gehört die Einschätzung der Höhe der Risiken, oft in Form einer Einstufung der betrachteten Szenarien bzgl. ihrer Eintrittswahrscheinlichkeit und Schadensausmasses. Die Risikoanalyse befasst sich mit der Frage «was kann passieren?».

L’analyse des risques recense et décrit de manière systématique les risques dans un système donné. [65]

L’appréciation du niveau des risques, souvent sous forme d’une classification des scénarios considérés en function de leur [Probability|probabilité]] d’occurrence et de l’ampleur des dommages envisagés en fait partie. L’analyse des risques traite de la question «que peut-il arriver?».

L'analisi dei rischi rileva e descrive sistematicamente i rischi in un determinato sistema. [66]

Vi rientra la stima del livello dei rischi, spesso in forma di una classificazione degli scenari considerati in funzione della loro frequenza e dell’entità dei danni. L'analisi dei rischi cerca di rispondere alla domanda «che cosa potrebbe succedere?».

United Kingdom

Risk analysis means consideration of relevant threat scenarios, in order to assess the vulnerability and the potential impact of disruption or destruction of critical infrastructure. [67]


United States

DHS
Risk Analysis is the systematic examination of the components and characteristics of risk. [68]

NIST
The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, arising through the operation of an information system. [69]


Uruguay

Análisis de riesgo: Método cualitativo o cuantitativo para la evaluación del impacto del riesgo en la toma de decisiones. [70]


Standard Definition

IETF

An assessment process that systematically (a) identifies valuable system resources and threats to those resources, (b) quantifies loss exposures (i.e., loss potential) based on estimated frequencies and costs of occurrence, and (c) (optionally) recommends how to allocate available resources to countermeasures so as to minimize total exposure. [71]

ISO/IEC 27000:2014 and ISO 31000:2009

Process to comprehend the nature of risk and to determine the level of risk (based on the ISO Guide 73:2009) [72] [73]

Level of risk is expressed in terms of the combination of consequences and their likelihood.


See also

Notes

  1. GLOSSAIRE MULTILINGUE DE LA GESTION DU RISQUE pour usagers francophones (2007)/European Centre of Technological Safety (TESEC) - TESEC-EUR-OPA 2001)
  2. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  3. ENISA Risk Glossary
  4. http://www.ciprnet.eu/
  5. Australian Emergency Management Glossary, Emergency Management Australia (1998)
  6. Australia AS NZS 5050 (2010)
  7. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  8. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  9. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  10. RADNA VERZIJA OSOBLJA KOMISIJE: Procjena rizika i mapiranje smernice za upravljanje katastrofama
  11. REGULAMENTO SOBRE GESTÃO DE RISCO DAS REDES DE TELECOMUNICAÇÕES E USO DE SERVIÇOS DE TELECOMUNICAÇÕES EM SITUAÇÕES DE EMERGÊNCIA E DESASTRES (2012)
  12. GLOSSÁRIO DE DEFESA CIVIL ESTUDOS DE RISCOS E MEDICINA DE DESASTRES, Ministério da Integração Nacional, Brazil
  13. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  14. Derived from ISO 31000:2009
  15. Vocabulaire de la gestion des urgencies/Emergency Management Emergency Management Vocabulary 281 (2012)
  16. Glosario Policia Colombia
  17. Zakon o kritičnim infrastrukturama (Critical infrastructure act), 2013, in Official Gazette, No 56/2013 (Croat.)
  18. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  19. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  20. Výkladový slovník kybernetické bezpečnosti (2013)
  21. Cyber Security Explanatory Glossary (2013)
  22. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  23. Bekendtgørelse om identifikation og udpegning af europæisk kritisk infrastruktur på energiområdet og vurdering af behovet for bedre beskyttelse (EPCIP-direktivet)
  24. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  25. [HÅNDBOG I RISIKOBASERET DIMENSIONERING, Beredskabsstyrelsen, Denmark (2004)]
  26. Glosario de Riesgo, Ministerio de Medio Ambiente y Recursos Naturales, El Salvador
  27. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  28. Vocabulary of Comprehensive Security. Helsinki (TSK 47) (2014)
  29. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  30. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  31. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  32. Methode für die Risikoanalyse im Bevölkerungsschutz
  33. Glossar, Das Bundesamt für Bevölkerungsschutz und Katastrophenhilfe (BBK)
  34. BSI Glossary
  35. Προεδρικό Διάταγμα 39/2011 της Ελληνικής Δημοκρατίας που αφορά την προσαρμογή της ελληνικής νομοθεσίας προς τις διατάξεις τις οδηγίας 2008/114/ΕΚ του Συμβουλίου της Ευρωπαϊκής Ένωσης.
  36. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  37. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  38. India's DGQA Cyber Security Policy (2015)
  39. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  40. DECRETO LEGISLATIVO 11 aprile 2011 , n. 61 Attuazione della Direttiva 2008/114/CE recante l'individuazione e la designazione delle infrastrutture critiche europee e la valutazione della necessita' di migliorarne la protezione. (11G0101
  41. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  42. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  43. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  44. Règlement grand-ducal du 12 mars 2012 portant application de la directive 2008/114/CE du Conseil du 8 décembre 2008
  45. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  46. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  47. STRATEGIE NATIONALE EN MATIERE DE CYBERSECURITE, Morocco, 2011
  48. DIRECTIVE NATIONALE DE LA SECURITE DES SYSTEMES D'INFORMATION, Marocco 2013
  49. Zakboekje Preventie Cybercrime (2008
  50. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  51. Risicobeoordeling 16.0: Een kansrijk kader; Theorie achter het risicomanagementproces en leidraad voor risicobeoordeling, June 2015
  52. Patiëntveiligheid Definitielijst (2005)
  53. El Centro Nacional de Estimación, Prevención y Reducción del Riesgo de Desastres - CENEPRED, Glosario de Términos, Peru
  54. DND GLOSSARY OF CYBER SECURITY TERMS (v.4)
  55. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  56. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  57. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  58. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  59. BEZPEČNOSTNÁ RADA SLOVENSKEJ REPUBLIKY
  60. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  61. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  62. [http://www.cnpic.es/Biblioteca/Legislacion/Generico/Ley_8-2011_PIC.pdf 7630 Ley 8/2011, de 28 de abril, por la que se establecen medidas para la protección de las infraestructuras críticas.
  63. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  64. Leitfaden Schutz kritischer Infrastrukturen 2015 / Glossar der Risikobegriffe, Bundesamt für Bevölkerungsschutz BABS, 29.4.2013
  65. Guide pour la protection des infrastructures critiques
  66. Glossario sui rischi, Ufficio federale della protezione della popolazione UFPP, 29.4.2013
  67. Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection.
  68. DHS Risk Lexicon 2010 Edition, September 2010
  69. NISTIR 7298 rev 2: Glossary of Key Information Security Terms, May 2013
  70. Glossary CERTuy
  71. IETF RFC449 Internet Security Glossary 2
  72. ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary
  73. ISO/IEC 31000:2009, Risk management -- Principles and guidelines