Gathering Information

            Information used in a risk assessment can be gathered in several
            ways. The most common method is probably through surveys.
            Surveys can be cheap, easy, and inaccurate. The value of the
            information provided in the survey is subject to the quality of
            the questions asked and the motivation of the respondent to
            reply. A restaurant may ask for feedback, but if the patrons
            know that it is not likely to be heeded, they may not care what
            they say and take the time to answer accurately. The responses
            may be based more on what the respondent thinks the survey
            wants to hear, and the person initiating the survey may well
            ignore responses that do not fit into their desired model.

            The risk assessment is only as good as the information it is
            based on - so care must be taken to ensure that accurate and
            complete information has been provided. As will be seen later in
            this book, the reason most projects fail is that the requirements
            were not properly documented or understood by all the team
            members.

            Other methods of gathering data include interviews, facilitated
            workshops, observation, audit reports, reports of previous
            incidents, penetration tests, and the Delphi method.

            The Delphi method is an excellent way to gather accurate data,
            especially in an environment where strong personalities exist
            and may otherwise attempt to influence the data gathering
            process. The Delphi method is based on anonymous input and
            feedback from a wide range of participants representing all areas
            of the organization and each level of management and user. To
            perform a Delphi-based risk assessment, the facilitator will send
            a question to all the participants that they must answer