Step 7 in the recommended risk assessment process is "Identify probabilities". This page expands on that step.
Each possible materialization of events should be considered. Some organizations will want to identify risk probabilities based on the estimate of probability of occurance over a given time period such as a year. Other organizations will want to identify probabilities based on a general likelihood as shown below.
Base the likelihood of occurance on judgement of experts, historical evidence. and statistical analysis. Estimated likelihood ranges are included but are not absolute and may vary depending on your organization's definitions.
- Frequent - Incidents are likely to be repeated - 50-100%
- Probable - Incidents are likely to be isolated - 30-49%
- Occasional - Possible but not likely - 10-29%
- Remote - Not likely - 3-9%
- Improbable - Almost impossible - 0-2%
From a budgeting standpoint, it is easier to budget by estimating the likelihood of an occurance per year. If you base likelihood of occurances as listed above such as frequent, probable, etc, then you will probably assign a percentage range of likelihood per year to each area such as is shown above. Occurances per year or chance of occurances per year may be based on one or more of the following:
- Previous occurances - Consider the number of those event types last year in your organization combined with adjustments based on organizational changes, improvements, or new vulnerabilities recently materializing.
- Expert opinion based on:
- Threat capacity - How many people may attempt to exploit a vulnerability in a given time and what is the likelihood of their success.
- Threat source motivation - The amount of motivation the source of the threat may have.
- Nature of the vulnerability.
- Current preventative controls and their effectiveness.
- Your perceived vulnerability in that threat area times the number of events worldwide.
Don't forget to list the probability of data compromise and the possible impact of the compromise. This should be done considering the confidentiality, integrity, and availability needs of the data.
Example of threats and probabilities
|Threat||Likelihood||Objects threat is against||Total probability||Control Reduction|
|Workstation hard drive failure||10% per year||400 workstations||40 per year||Backups|
|Server hard drive failure||10% per year||10 servers||1 per year||RAID drives and Backups|
|Virus incidents||15 percent per year||400||60 per year||User education, block email dangerous attachments|
|Server hack||7 percent per year||10 servers||70%||Faster updates, additional monitoring, intrusion detection/prevention SW, stronger auditing, incident response|
|Theft of laptop||5% per year||30||1.5 per year||Encrypt data on laptops|
|Loss of data confidentiality through wireless sniffing||1% per year||1 network||1%||Limit wireless use to approved technologies through strong policies.|
Note: Estimates in the table do not necessarily reflect real world probabilities.
Once the estimate is complete, degrees of confidence should be provided for the estimated risk occurance probabilities. Perform a sensitivity analysis on the results of the occurance probability to determine the effects of changes in assumptions or data. This will help determine the effects of inaccuracies of incident occurance estimates.