If you haven’t read the previous articles here they are:-
Since the last post I have worked through the two lab exercises for module 1 which are these:-
Qualitative Risk Assessment Using PILAR Risk Management Tool
This lab demonstrates how to perform a Qualitative Risk Assessment using PILAR Risk Management Tool.
Quantitative Risk Assessment using PILAR Risk Management Tool
The objective of this lab is to introduce the concepts of incident response and handling. These tasks include the following:
- Qualitative risk assessment
- Quantitative risk assessment
Then I have to Analyze and document the results related to the lab exercises and get reading through module 2.
So, what is PILAR?
PILAR provides a set of tools for analysis and management. It is specialized on Information and Communications Systems, and supports the methodology Magerit provided by the Spanish Administration:,
Assets are subject to threats that, when do happen, degrade [the value of] the asset. The cost of a happening is called impact. If we are able to estimate the frequency of threat happenings, then tools can estimate the risk to which the system is subject. Degradation and frequency are the means to estimate the vulnerability of the system.
System manager has an option to deploy safeguards, either to reduce the frequency, or to limit the impact. The degree of effectiveness of these safeguards, the system becomes subject to a residual risk.
PILAR provides a standard library for assets, threats and sefeguards. Furthermore, it is able to derive security califications against widely known security standards, such as
- ISO/IEC 27002:2013 – Code of practice for information security management
PILAR has been partly funded by the Centro Criptológico Nacional (Spanish National Security Agency).
Why do we need to do Risk Management?
To know the security position of a system, we need to model it, identifying and valuing its
assets, and identifying and valuing the threats on those assets. So, we can estimate the risk the system
is subject to.
The risk may be mitigated by means of safeguards or countermeasures deployed for protecting the
system. It is unusual that safeguards reduce risk to zero; it’s rather more frequent that a residual risk
remains, that the organization may accept, or try to reduce further, establishing a security plan oriented
to push the risk down to acceptable levels.
Risk analysis is an activity that provides information for risk treatment activities. These activities are
run once and again, so new assets are considered, new threats, new vulnerabilities, and new
Now where in my day-to-day job I wouldn’t be involved in this, it is very interesting learning about it because most big organisations “SHOULD” have a Risk Assessment Plan in place (would surprise you how many don’t) we need the risk assessment before creating the plan.
So, lab 1 demonstrates how to perform a Qualitative Risk Assessment using PILAR Risk Management Tool, essentially is going through the available options you can choose and what each level is like in each option of Threats, Impact & Risk etc.
Lab 2 demonstrates how to perform a Quantitative Risk Assessment using PILAR Risk Management Tool in much the same fashion.
And now these are done, and I am reading through module 2.