Is the monetary value of the assets the only risk metric that can be entered and tracked in PTA?
In the early stages of our study we were debating with ourselves on how to represent variables such as business reputation, loss of trust etc. In order to develop a robust quantitative method, we wanted to normalize the value of assets and cost of countermeasures in a common system of units that can be processed in order to produce a non-biased risk assessment and prioritized recommendations for mitigating threats based on cost-effectiveness, importance and efficiency. Consulting with insurance experts has convinced us that anything can and should be assigned monetary values. So we have decided to ask the analyst to express values of assets and derived losses and damages in monetary values (the system calculates the weighted annual monetary value from the one time fee and the recurring portion). Since PTA is meant to be a practical tool, therefore it keeps all metrics e.g. assets importance, damage levels, countermeasures implementation and risk values in financial units. This does not
