Explain how after identifying and performing the preliminary classification of an organization’s information assets, the analysis phase examines the threats facing the organization.
Emphasize how each threat must be examined to assess its potential impact on the organization. This is referred to as a threat assessment.
Explain how to begin a threat assessment by answering a few questions:
Which threats present a danger to the organization’s assets in the given environment?
Which threats represent the most danger to the organization’s information?
How much would it cost to recover from a successful attack?
Which of these threats would require the greatest expenditure to prevent?
Emphasize how answering these questions helps establish a framework for the discussion of threat assessment. An organization's guidelines and/or policies should influence this process and may require the posing of additional questions.