How to Calculate Security Risk

Measuring Risk

The definition of Risk is:  risk = likelihood x impact. This formula is not abstract and makes sense. So follow along with me as we calculate risk.

Intuitive Risk Formula

impact x probability = risk

Let’s run through some scenarios. Remember each scenario is going to have a different risk rating.

What is the Probability?

1. What is the risk that my business information will be compromised (lost, stolen or unintentionally destroyed)?

Now let’s assign values based on high being 10 and low being zero.

Now the likelihood is based on your current environment. Do you have a loose or very tightly organized workflow, what type of controls or mitigating factors are in place to prevent bad things from happening and so on.  I am going to set our Probability to high or 9

2.  What are the consequences to losing data? Questions like:

Is my business highly regulated or not regulated?

Are we handling other people’s information?

Can this impact our business from a legal perspective?

Can we lose money?

And so on…

So let’s use this chart. The impact would be low if you don’t have any data that contains sensitive information and there are no consequences if your information was lost, stolen or destroyed. But, what if you had some confidential information that could pose consequences?

There would be some consequences to our business so my rating would be approximately 8.5

Calculate Risk

Now we need to correlate these numbers to develop our risk score. Let’s plug in the numbers. First we defined our probability as a 7 and our impact was 6.5, so we multiply those together and that will determine our risk score.

impact x probability = risk

9 x 8.5 = 76.5

We multiple numbers together and calculate a risk score of 76.5 and putting on the scale gives us a risk rating of Medium Low to Medium. We use one hundred point scale because our highest number would be Impact of 10 out of 10 and a Probability of 10 out of 10. (Which is of course 100 and inversely the lease impact would be zero and the probability would be zero, which multiplied together equals zero.)

8

John Hill

well set out , but x on scale are incorrect

Jeffrey Jones

Sorry about that. Tables are fixed.

This is a very well drawn out example, however please correct your scale scores to reflect 7 & 6.5 as they different than the numbers used in your example. Your scale uses 9 for probability and 8.5 for impact.

But again, this is a very well written out example

Jeffrey Jones

Thank you for pointing that out. We have fixed