For the purposes of a SVA, the definition of risk is shown in Figure 2.1. The risk that is being analyzed for the SVA is
defined as an expression of the likelihood that a defined threat will target and successfully attack a specific security
vulnerability of a particular target or combination of targets to cause a given set of consequences. The complete SVA
may evaluate one or more issues or sum the risk of the entire set of security issues.
A high-risk event, for example, is one which is represented by a high likelihood of a successful attack against a given
critical target asset. Likelihood is determined by considering several factors including its attractiveness to the adversary,
the degree of threat, and the degree of vulnerability. Criticality is determined by the asset’s importance or value, and the
potential consequences if attacked. If the likelihood of a successful attack against an important asset is high, then the risk
is considered high and appropriate countermeasures would be required for a critical asset at high risk.
For the SVA, the risk of the security event is normally estimated qualitatively. It is based on the consensus judgment of a
team of knowledgeable people as to how the likelihood and consequences of an undesired event scenario compares to
other scenarios. The assessment is based on best available information, using experience and expertise of the team to
make sound risk management decisions. The team may use a risk matrix, which is a graphical representation of the risk
factors, as a tool for risk assessment decisions.
The API NPRA SVA Methodology has a two step screening process to focus attention on higher risk events. The key
variables considered in the first screening are Consequences and Target Attractiveness. If either of those are either not
sufficiently significant, the asset is screened out from further specific consideration. Later, the complete set of risk
variables shown in Figure 2.1 are used in the second screen to determine the need for additional specific
countermeasures.