Risk Assessment

Risk assessment is the process of evaluating the risk associated with vulnerability.  Risk assessment assigns a risk rating to (or score) each vulnerability.

Risk assessment rating is calculated based on likelihood, impact of the vulnerability, existing controls to protect the asset and uncertainty of protection.

Likelihood: A numerical value on a defined scale of the probability that a specific vulnerability with be exploited.  Likelihood ratings are between 0.1 to 1 (NIST Special Publication 800-30). 0.1 is low and 1 is very high. Likelihood values are assigned based on experience and reviewing the existing sources and external sources.

Assessing Potential Loss (Score/Impact): Weighted score will be assigned based on the information identified during the documentation of risk identification process. All assets which impacts business execution and stops the business process are score 100, assets which have the impact of very low impact and low critical will be assigned as 1 and all medium are assigned as 50 (NIST SP 800-30).

Percentage of Risk Mitigated by Current Controls: Calculated based on the controls that are employed against the threats and vulnerabilities.

Uncertainty: Calculates based on the how likely an attack against an asset or impact of successful attack would have impacted the organization business process.  And percentages are estimated by experience and review.

Risk Determination is based on the formula using Likelihood, Score, Existing controls and uncertainty

Risk Determination = (Score *Likelihood) – (% of Controls of Score) +Uncertainty percentage value of Score

Reference: Management of Information Security by Whitman and Mattord