TRA-1 Harmonized Threat and Risk Assessment Methodology
Appendix E-2 - List of Assessed Residual Risks
Asset (Group/Subgroup) |
Asset Values |
Associated Threat (Activity/Agent Category) |
T |
Related Vulnerability |
V |
Residual Risk (AVal T V) |
R |
||
C |
A |
I |
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Legend C – Confidentiality. A – Availability. I – Integrity. T – Threat. V – Vulnerability. AVal – Asset Value. R – Risk. |
1 Instructions
Using the results of the Asset Identification Phase, the Threat Assessment Phase and the Vulnerability Assessment segment of the Risk Assessment Phase, specifically the Asset Valuation Table or Statement of Sensitivity, the Threat Assessment Table and the Vulnerability Assessment Table in Appendices B-5, C-4 and
D-4 respectively:
Step 1. Record all assets within the scope of the assessment in the first column with separate entries for each relevant asset value, noting those that fall near the upper or lower boundaries of the injury level.
Step 2. Record all associated threats that might compromise these assets and asset values in the fifth column and their levels in the sixth column, noting those that fall near the upper or lower boundaries of the assessed level. Where there is some question regarding the actual threat level due to conflicting evidence, include separate entries for the higher and lower values. For deliberate threats where threat agent intentions and, therefore, the likelihood of occurrence are rated Medium or Low, insert another line to reflect the higher threat level if threat agent intentions changed to High.
Step 3. Record all related vulnerabilities that expose each asset to an associated threat in the seventh column and their levels in the eighth column, noting those that fall near the upper or lower boundaries of the assessed level. Where there is some question regarding the actual vulnerability level due to conflicting evidence, include separate entries for the higher and lower values.
Step 4. Convert the assigned levels for each of the three variables (asset values, threats and vulnerabilities) to numeric scores from one to five and compute the product, entering the results in the ninth column. In cases where two or three of the factors fall at the high or low range of the assessed level, adjust the lower score up or down by one for the calculation of residual risk. Finally, the corresponding risk level from Very Low to Very High may be inserted in the tenth column.
2 Example
The example explained in Appendix E-1, a regional medical storage facility, would generate the following entry in the List of Residual Risks:
Asset (Group/Subgroup) |
Asset Values |
Associated Threat (Activity/Agent Category) |
T |
Related Vulnerability |
V |
Residual Risk (AVal T V) |
R |
||
C |
A |
I |
|||||||
Medicine/Morphine |
|
H↓ |
|
Motorcycle Gangs/Theft |
H↓ |
Structural Integrity Slow Response |
H |
(4-1)1 4 4 = 48 |
H |
|
|
|
|
|
|
|
|
|
|
1 Both asset value and threat level have been assessed at the low end of the High range (H↓), so the lower value is reduced by one level for the calculation of residual risk. In this particular case, either the asset value or the threat level might have been adjusted because both variables have the same value.
Appendix
E-2 E2-
List of Assessed Residual Risks
STF27906270 ETSI EN 300 6762 V0010 (200602) HARMONIZED EUROPEAN
STF279083 ETSI EN 302 0172 V112 (200606) CANDIDATE HARMONIZED
TRA1 HARMONIZED THREAT AND RISK ASSESSMENT METHODOLOGY APPENDIX E2
Tags: appendix e-2, value. appendix, threat, appendix, assessment, methodology, harmonized