Begin the actual development of a plan with some form of risk analysis. At the least, identify sensitive systems and data; the estimate the value of these systems; and identify threats, such as listed below. If developers do nor assess the risks faced and the value of assets exposed, the security plan really is in a vacuum and cannot be very effective.

Many kinds of risks can be identified; these vary depending upon the situation, but typical ones include:

  • Sabotage (Trojan horse, trap door, time bomb, virus, worm);
  • Environmental(fire, flood, power outage, etc.) ; and
  • Errors (input entry mistakes, poor quality control in system development, etc.)

Many methods have been developed to quantify risk analysis data, the purpose of which is to reduce inexact opinions to a form that permits adding up exposures and determining a dollar figure. Various metrics, including so-called “fuzzy metrics,” may be used.

Formal methods include estimating the probability of loss, multiplying by the value of the exposed asset, and adding these numbers (see, for example ). In practice, this approach tends to lead to a sea of numbers that loses all real meaning (“paralysis by analysis”). The ease with which computers produce numbers has not helped this simplify problem.

Two main purposes of risk analysis are to:

  • Assure that management does not overlook significant intentional or accidental threat to the information system;
  • Assure that by cost-benefit analysis, management avoids spending more to control an exposure than the potential loss.