What are the key factors involved in assessing the importance of a risk?

The key factors involved in accessing the important of a risk are-

  • Identifying a Risk6
    It is necessary to get information about the “threat agent involved, the attack that will be used, the vulnerability involved, and the impact of a successful exploit on the business.” 6
  • Factors for Estimating Likelihood6
    It is then necessary to determine the likelihood of the occurrence of the risk – “a rough measure of how likely this particular vulnerability is to be uncovered and exploited by an attacker” 6

There can be a number of factors that determine the likelihood-

  • Threat agent factors
    • Skill level
    • Motive
    • Opportunity
    • Size
  • Vulnerability factors
    • Ease of exploit
    • Awareness
    • Intrusion detection
  • Factors for Estimating Impact
    It is necessary to determine the impact of the risk. The factors which help determine this are-
    • Technical impact
      • Loss of Confidentiality
      • Loss of Integrity
      • Loss of Availability
    • Business Impact
      • Financial damage
      • Reputation damage
      • Non-compliance repercussions
      • Privacy violation

Determining Severity of the Risk
In this step the “likelihood estimate and the impact estimate are put together to calculate an overall severity for this risk.” It helps give a number on a scale from 0 to 9 and determine a severity metric.