Identify Probabilities

Step 7 in the recommended risk assessment process is "Identify probabilities". This page expands on that step.

Each possible materialization of events should be considered. Some organizations will want to identify risk probabilities based on the estimate of probability of occurance over a given time period such as a year. Other organizations will want to identify probabilities based on a general likelihood as shown below.

Base the likelihood of occurance on judgement of experts, historical evidence. and statistical analysis. Estimated likelihood ranges are included but are not absolute and may vary depending on your organization's definitions.

  1. Frequent - Incidents are likely to be repeated - 50-100%
  2. Probable - Incidents are likely to be isolated - 30-49%
  3. Occasional - Possible but not likely - 10-29%
  4. Remote - Not likely - 3-9%
  5. Improbable - Almost impossible - 0-2%

From a budgeting standpoint, it is easier to budget by estimating the likelihood of an occurance per year. If you base likelihood of occurances as listed above such as frequent, probable, etc, then you will probably assign a percentage range of likelihood per year to each area such as is shown above. Occurances per year or chance of occurances per year may be based on one or more of the following:

  • Previous occurances - Consider the number of those event types last year in your organization combined with adjustments based on organizational changes, improvements, or new vulnerabilities recently materializing.
  • Expert opinion based on:
    • Threat capacity - How many people may attempt to exploit a vulnerability in a given time and what is the likelihood of their success.
    • Threat source motivation - The amount of motivation the source of the threat may have.
    • Nature of the vulnerability.
    • Current preventative controls and their effectiveness.
    • Your perceived vulnerability in that threat area times the number of events worldwide.

Don't forget to list the probability of data compromise and the possible impact of the compromise. This should be done considering the confidentiality, integrity, and availability needs of the data.

Example of threats and probabilities

ThreatLikelihoodObjects threat is againstTotal probabilityControl Reduction
Workstation hard drive failure10% per year400 workstations40 per yearBackups
Server hard drive failure10% per year10 servers1 per yearRAID drives and Backups
Virus incidents15 percent per year40060 per yearUser education, block email dangerous attachments
Server hack7 percent per year10 servers70%Faster updates, additional monitoring, intrusion detection/prevention SW, stronger auditing, incident response
Theft of laptop5% per year301.5 per yearEncrypt data on laptops
Loss of data confidentiality through wireless sniffing1% per year1 network1%Limit wireless use to approved technologies through strong policies.

Note: Estimates in the table do not necessarily reflect real world probabilities.

Once the estimate is complete, degrees of confidence should be provided for the estimated risk occurance probabilities. Perform a sensitivity analysis on the results of the occurance probability to determine the effects of changes in assumptions or data. This will help determine the effects of inaccuracies of incident occurance estimates.