Module 7 Summary

key points imageYour risk = threat x vulnerability

The risk equation and its key components, risk, likelihood and impact, provide the basic approach to determining and prioritizing risk of various security threats faced by an organization. The meaning of this simple equation is that risk is determined both by how vulnerable you are to each threat (and therefore how much impact it will have on you) and how likely it is that the specific threat will actually occur.

There are a standard set of definitions for describing impact in order to further standardize risk analysis. In order of increasing harm, they are: Negligible • Minor • Moderate • Severe • Critical

To further standardize risk analysis, a standard set of definitions for describing likelihood in order of increasing odds of the event occurring are: Very unlikely • Unlikely • Moderately Likely • Likely • Very likely/Imminent A useful method for analysing risk using the descriptors above is called the Risk Matrix. This analytical tool allows users to graphically index the two risk factors into a single analysis. The results of plotting possible threats on the matrix shows clearly the ranking order of threats on the basis of their risk to the organization, and thereby provides managers a guide by which to prioritize risk reduction activities. Even though the process is straightforward, responsible use of the Risk Matrix requires more than simply filling in threats on a chart. Some practical guidance on developing and updating your risk matrix is required:

  • Conduct the process with a group of stakeholders who are well-informed of the security threats in the area, but who may have different perspectives and/or sources of information in order to avoid important gaps in your assessment information.
  • Conduct the process in an open and flexible way that facilitates discussion and changing of the location of the threats on the matrix as required.
  • Update the Risk Matrix periodically and as required by any indicators of significant change in the threat environment.

Biases, or systematic errors, that apply to the assessment of risk include: recency bias, media bias, control bias, acceptance bias, impact-likelihood blurring and confirmation bias. Biases are extremely prevalent, and can cause significant errors when analysing risk. For this reason it is important for risk managers to try to understand and overcome biases when making risk assessments.