6.1 Determine longlist

Based on the information presented by the Raster tool (see Analysis view), a longlist of the most serious risks must be compiled. These risks are:

• the combination of a single vulnerability and a single component, such as “power failure at the PABX”, or
• the combination of a single common cause failure vulnerability and a single cluster, such as “fire at equipment in the facilities room”.

It is up to the analysts to judge which risks are serious enough to be placed on the longlist. However, the list should include the “quick wins” reported by the Raster tool (see Failures and vulnerabilities). Quick wins are those vulnerabilities that by themselves determine the overall vulnerability level of a component. Reducing that vulnerability would immediately reduce the overall level.

Other good candidates for inclusion on the longlist are those risks that were computed as Extremely high or High, as well the risks that were computed as Ambiguous or Unknown.