Abstract
Executive management must have a sound basis for deciding how to control and protect business systems. The potential cost/risk of a system exposure must be quantified before an intelligent cost/benefit decision can be made. Risk analysis attempts to address this need by analyzing exposures in a systematic way. The authors describe one organization's application of risk analysis techniques to software systems.