Risk should be objectively identified.
This implies establishing timing and scope in such a way that best supports the decision situation which triggered this SRA.
We must also capture the most important risk components and successfully construct combinations which constitute the most relevant risks within scope.
Objectivity in risk identification requires complete knowledge of our system as well as existing threat sources and vulnerabilities plus unlimited creativity and a total lack of bias.
