Defined methods are used to analyse higher priority cyber risks (for example, analysing the prevalence of types of attacks to estimate likelihood, using the results of controls assessments to estimate susceptibility)
Context and Guidance: A defined method to analyse risks and risk categories after prioritisation ensures that analysis activities are repeatable and produce consistent results. Outputs from organisational processes or continual testing such as controls assessments may help the organisation determine the susceptibility to a newly identified vulnerability.
Related Practices • Input From: Implementing RISK-3a provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: RISK-3c, RISK-3d, RISK-3e.