Determine Risk Level

Step 9 in the recommended risk assessment process is "Determine risk level". This page expands on that step.

This step allows you to determine the risk level. Some organizations may want to determine an actual loss probability per year in dollars and others may want to quantify risk relative to other risk to determine where to set priorities. Therefore some organizations will set as dollar amount for the impact for each risk involved. Other organizations may set a relative number from 0 to 100 to quantify the impact where 100 is the most severe.

NIST quantifies risk at values of 1.0 for high, 0.5 for medium, and 0.1 for low, and also quantifies impact at 100 for high, 50 for medium, and 10 for low. This works well for finding relative risk values to help determine the ones that should have the highest priority for mitigation but can be difficult to determine the financial return of adding additional controls. However, quantifying the financial return can also be difficult since the amount of damage from an incident can vary widely.

Basically the quantified risk level is likelihood times impact which may provide a quantifiable average dollar loss amount per year. This is a very handy way to calculate the risk level since it will help determine how much it would be worth spending either per year or on a one time basis to reduce or eliminate the risk.

Potential Damage

The risk may be quantified into categories where each category depicts a specific amount of risk by the amount of damage.



Probability of occurrance may be in these categories

  1. Frequent - Incidents are likely to be repeated - 50-100%
  2. Probable - Incidents are likely to be isolated - 30-49%
  3. Occasional - Possible but not likely - 10-29%
  4. Remote - Not likely - 3-9%
  5. Improbable - Almost impossible - 0-2%

Overall Risk Level

This is where the probabilities per year are calculated times the amount of damage to determine the risk on an annual basis. Damage levels times risk are shown below. For dollar value estimates I will estimate the limit of catastrophic damage to 1 million dollars.

CategoryFrequent 50-100%Probable 30-49%Occasional 10-29%Remote 3-9%Improbable 0-2%
Catastrophic $100000-$1MH $50000-500000H $30000-490000H $10000-$290000M $3000-90000M $0-20000
Critical $30000-100000H $15000-100000H $9000-49000M $3000-29000M $900-9000L $0-$2000
Marginal $10000-30000M $5000-30000M $3000-14500M $1000-9000L $300-900L $0-600
Negligable$1000-10000M $500-$10000L $300-4900L $100-2900L $30-900L $ 0-$200

H=High M=Moderate L=Low

The short term and long term risk should both be considered including whether the risk increases or decreases over time.


This example adds an extra column to the table quantifying the amount of estimated damage per year in the right column. These values do not reflect actual probable loss and in no way indicate one security control or vulnerability is more important than another.

ThreatLikelihoodObjects threat is againstTotal probabilityControl ReductionDamageEst. Annual Loss
Workstation hard drive failure10% per year400 workstations40 per yearBackups$100 for drive + $200 productivity loss$12000
Server hard drive failure10% per year10 servers1 per yearRAID drives and Backups$300 for drive. $200 to restore operation$500
Virus incidents15 percent per year40060 per yearUser education, block email dangerous attachments$100 to fix, $100 loss of productivity and 50% chance of loss of data valued at $500$27000
Server hack7 percent per year10 servers70%Faster updates, additional monitoring, intrusion detection/prevention SW, stronger auditing, incident response$500 to fix + 50% chance loss of data valued at $5000$2100
Theft of laptop5% per year301.5 per yearEncrypt data on laptops$2000 loss of equipment + 50% chance loss of data valued at $1000$3750
Loss of data confidentiality through wireless sniffing1% per year1 network1%Limit wireless use to approved technologies through strong policies.30% chance loss of data valued at $1000$3

The risks should be ranked using a criteria set up by the risk assessment team. Risks should be ranked so the highest risks can be addressed first. In this case the risks are ranked by estimated annual loss.