Skip to content

Risk Matrix

Insignificant
Minor
Moderate
Major
Catastrophic
Almost Certain
>90%
High
High
Extreme
Extreme
Extreme
Likely
50% - 90%
Moderate
High
High
Extreme
Extreme
Moderate
10% - 50%
Low
Moderate
High
Extreme
Extreme
Unlikely
3% - 10%
Low
Low
Moderate
High
Extreme
Rare
<3%
Low
Low
Moderate
High
High

What does each impact level mean?

Minor problem easily handled by normal day-to-day processes

Some disruption possible. e.g. damage equal to $500K, DDoS attacks, lost sales, server damage

Significant time/resources required. e.g. damage equal to $1 million, low-level phishing, end-user malware, small environmental disaster

Operations severly damaged. e.g. damage equal to $10 million, ransomware, system intrusions, APTs, severe environmental disaster, loss of privacy data

Business survival is a risk. e.g. damage is equal to $25 million, all sites are down, backups fail, nuclear war

Perform a Cyber Risk Analysis

Citations

Chapple, M., Stewart, J. M., & Gibson, D. (2018). (ISC)² CISSP Certified Information Systems Security Professional: Official study guide (8th ed.). John Wiley & Sons.

Kost, E. (2022, September 19). 5 step guide: How to perform a cyber risk analysis in 2022: Upguard. UpGuard. Retrieved December 10, 2022, from https://www.upguard.com/blog/how-to-perform-a-cyber-risk-analysis

Cyber risk is calculated by considering the identified security threat, its degree of vulnerability, and the likelihood of exploitation.

$$ Cyber Risk = (Threat) x (Vulnerability) x (Information Value) $$

Specify Acceptable Level of Risk

Addressing all security risks is an inefficient use of security resources and in many cases unnecessary.

Risk Responses

Putting security controls in place to attenuate the possible impact and/or likelihood of a specific risk. Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.

Paying an external party to accept the financial impact of a given risk.

Determining that the potential benefits of a business function outweigh the possible risk impact/likelihood and performing that business function with no other action.

The process of implementing deterrents to would be violators of security and policy.

Determining that the impact and/or likelihood of a specific risk is too great to be offset by the potential benefits and not performing a certain business function because of that determination.

Denying or ignoring that a risk exists and hoping that it will never be realized. This is not a valid or prudent due-care response to risk.