Risk Probability and Impact

Probability is

the chance that a risk will occur

Impact is

the potential effect of an event. As with an event, an impact may be positive or negative

Assessment of Exposures

A 5x5 matrix is shown below to assess the exposure. A 3x3 (High, Medium, Low) or a 4x4 (low to very high) may also be used:

figure 1: Assessment of Threats

figure 2: Assessment of Opportunities

See next section for IT Controls

Probability can be determined using following table:

figure 3: probability (likelihood) determination matrix

DREAD Model originated at Microsoft Corporation and used to asses risk:

1. Damage – how bad would an attack be?

2. Reproducibility – how easy is it to reproduce the attack?

3. Exploitability – how much work is it to launch the attack

4. Affected users – how many people will be impacted?

5. Discoverability – how easy is it to discover the threat?