Determine Risk Level
Step 9 in the recommended risk assessment process is "Determine risk level". This page expands on that step.
This step allows you to determine the risk level. Some organizations may want to determine an actual loss probability per year in dollars and others may want to quantify risk relative to other risk to determine where to set priorities. Therefore some organizations will set as dollar amount for the impact for each risk involved. Other organizations may set a relative number from 0 to 100 to quantify the impact where 100 is the most severe.
NIST quantifies risk at values of 1.0 for high, 0.5 for medium, and 0.1 for low, and also quantifies impact at 100 for high, 50 for medium, and 10 for low. This works well for finding relative risk values to help determine the ones that should have the highest priority for mitigation but can be difficult to determine the financial return of adding additional controls. However, quantifying the financial return can also be difficult since the amount of damage from an incident can vary widely.
Basically the quantified risk level is likelihood times impact which may provide a quantifiable average dollar loss amount per year. This is a very handy way to calculate the risk level since it will help determine how much it would be worth spending either per year or on a one time basis to reduce or eliminate the risk.
The risk may be quantified into categories where each category depicts a specific amount of risk by the amount of damage.
Probability of occurrance may be in these categories
- Frequent - Incidents are likely to be repeated - 50-100%
- Probable - Incidents are likely to be isolated - 30-49%
- Occasional - Possible but not likely - 10-29%
- Remote - Not likely - 3-9%
- Improbable - Almost impossible - 0-2%
Overall Risk Level
This is where the probabilities per year are calculated times the amount of damage to determine the risk on an annual basis. Damage levels times risk are shown below. For dollar value estimates I will estimate the limit of catastrophic damage to 1 million dollars.
|Category||Frequent 50-100%||Probable 30-49%||Occasional 10-29%||Remote 3-9%||Improbable 0-2%|
|Catastrophic $100000-$1M||H $50000-500000||H $30000-490000||H $10000-$290000||M $3000-90000||M $0-20000|
|Critical $30000-100000||H $15000-100000||H $9000-49000||M $3000-29000||M $900-9000||L $0-$2000|
|Marginal $10000-30000||M $5000-30000||M $3000-14500||M $1000-9000||L $300-900||L $0-600|
|Negligable$1000-10000||M $500-$10000||L $300-4900||L $100-2900||L $30-900||L $ 0-$200|
H=High M=Moderate L=Low
The short term and long term risk should both be considered including whether the risk increases or decreases over time.
This example adds an extra column to the table quantifying the amount of estimated damage per year in the right column. These values do not reflect actual probable loss and in no way indicate one security control or vulnerability is more important than another.
|Threat||Likelihood||Objects threat is against||Total probability||Control Reduction||Damage||Est. Annual Loss|
|Workstation hard drive failure||10% per year||400 workstations||40 per year||Backups||$100 for drive + $200 productivity loss||$12000|
|Server hard drive failure||10% per year||10 servers||1 per year||RAID drives and Backups||$300 for drive. $200 to restore operation||$500|
|Virus incidents||15 percent per year||400||60 per year||User education, block email dangerous attachments||$100 to fix, $100 loss of productivity and 50% chance of loss of data valued at $500||$27000|
|Server hack||7 percent per year||10 servers||70%||Faster updates, additional monitoring, intrusion detection/prevention SW, stronger auditing, incident response||$500 to fix + 50% chance loss of data valued at $5000||$2100|
|Theft of laptop||5% per year||30||1.5 per year||Encrypt data on laptops||$2000 loss of equipment + 50% chance loss of data valued at $1000||$3750|
|Loss of data confidentiality through wireless sniffing||1% per year||1 network||1%||Limit wireless use to approved technologies through strong policies.||30% chance loss of data valued at $1000||$3|
The risks should be ranked using a criteria set up by the risk assessment team. Risks should be ranked so the highest risks can be addressed first. In this case the risks are ranked by estimated annual loss.