To understand what the organisation is dealing with in terms of security risk, there needs to be a high level of threat and risk assessment conducted (qualitative & quantitative), that brings about some degree of risk measurement for the organisation. This allows for the identification of those risks that pose immediate challenges (what are they exposed to, what is the cost with not managing it effectively), so they can therefore make an informed decision about the treatment and management approach. The quantitative data can be systemized in a way that brings about awareness of the security risks in statistical form and establishing risk levels and the risk range (ie. tolerance/ risk appetite).
Qualitative data is another layer of human analytics (through research and projection) that enables balanced views of broader impact in which certain activities occur within the various risk areas for the client, which are broken down into: