Skip to content

Risk Matrix

Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certain
>90%
High
High
Extreme
Extreme
Extreme
Likely
50% - 90%
Moderate
High
High
Extreme
Extreme
Moderate
10% - 50%
Low
Moderate
High
Extreme
Extreme
Unlikely
3% - 10%
Low
Low
Moderate
High
Extreme
Rare
<3%
Low
Low
Moderate
High
High

What does each impact level mean?

  • Insignificant

    Minor problem easily handled by normal day-to-day processes

  • Minor

    Some disruption possible. e.g. damage equal to $500K, DDoS attacks, lost sales, server damage

  • Moderate

    Significant time/resources required. e.g. damage equal to $1 million, low-level phishing, end-user malware, small environmental disaster

  • Major

    Operations severly damaged. e.g. damage equal to $10 million, ransomware, system intrusions, APTs, severe environmental disaster, loss of privacy data

  • Catastrophic

    Business survival is a risk. e.g. damage is equal to $25 million, all sites are down, backups fail, nuclear war

Perform a Cyber Risk Analysis

Citations

Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC)² CISSP Certified Information Systems Security Professional: Official study guide (8th ed.). John Wiley & Sons.

Kost, E. (2022, September 19). 5 step guide: How to perform a cyber risk analysis in 2022: Upguard. UpGuard. Retrieved December 10, 2022, from https://www.upguard.com/blog/how-to-perform-a-cyber-risk-analysis

Cyber risk is calculated by considering the identified security threat, its degree of vulnerability, and the likelihood of exploitation.

$$ Cyber Risk = (Threat) x (Vulnerability) x (Information Value) $$

Specify Acceptable Level of Risk

Addressing all security risks is an inefficient use of security resources and in many cases unnecessary.

Risk Responses

  • Mitigation

    Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk. Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

  • Assignment

    Paying an external party to accept the financial impact of a given risk.

  • Acceptance

    Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

  • Deterrence

    The process of implementing deterrents to would be violators of security and policy.

  • Avoidance

    Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

  • Rejection

    Denying or ignoring that a risk exists and hoping that it will never be realized. This is not a valid or prudent due-care response to risk.