In risk analysis, high consequence, low probability risks—such as catastrophic failures or attacks—require special attention. The best approach to ensure these risks are properly considered is to prioritize risks based on impact (A), focusing on the potential severity of consequences if the event occurs, regardless of its frequency.
Giving frequency or likelihood (B, D) a higher weight can lead to underestimating rare but highly damaging risks.
Mitigation cost (C) is a factor in decision-making but does not ensure identification or prioritization of high-impact risks.
GICSP emphasizes a balanced risk management process where impact or consequence is a critical criterion, especially in ICS environments where safety and critical infrastructure availability are paramount.
[Reference:, , GICSP Official Study Guide, Domain: ICS Risk Management, , NIST SP 800-30 Rev 1 (Risk Management Guide for Information Technology Systems), , GICSP Training on Risk Assessment and Prioritization]
Submit