accidentally, or circumstantially. Risk assessment is usually
            measured using either a quantitative or qualitative methodology,
            although most effective risk assessment programs will use a
            combination of both methods.



            Quantitative Risk Assessment

            Quantitative risk assessment is based on numbers - quantity. It
            attempts to place a numerical value (usually measured in
            financial terms, money) on the level of risk that the organization
            faces. It should be remembered that an organization faces many
            types of risk. Therefore will have many different risk assessment
            calculations depending on the impact on a system, department,
            or business process being assessed.


            Qualitative Risk Assessment

            Qualitative risk assessment is based on non-numerical categories
            or ranges of values. For example, the risk may be assessed using
            rankings of high, moderate, or low.



            Identifying the Entity/Asset

            Risk is an art and a science - but like any other project, it starts
            with a definition of scope - even a painter needs to know the size
            of the canvas! Performing a risk assessment starts with carefully
            defining the boundaries of the evaluation. Will this risk
            assessment be based on a system? On a product or service?  On
            a geographical location? In a department? What is within the
            boundaries of the evaluation - what types of users, hardware,
            software, tools, processes, data, facilities, networks, or
            legislation? What is outside the scope, and what dependencies