Scribd
Upload
32 views3 pages

Cyber Security - Simple Risk Calculation

The document provides a 5-step process for organizations to calculate their security risk level: 1) assess financial impact, 2) reputational impact, 3) operational impact, 4) likelihood of a breach, and 5) calculate total risk. Risk is calculated by adding impact modifiers, multiplying by likelihood, and translating to a 100-point scale. The scale ranges from 0-20 as acceptable risk to 66-100 as high risk requiring immediate remediation and frequent auditing.

Uploaded by

net13ops
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views3 pages

Cyber Security - Simple Risk Calculation

The document provides a 5-step process for organizations to calculate their security risk level: 1) assess financial impact, 2) reputational impact, 3) operational impact, 4) likelihood of a breach, and 5) calculate total risk. Risk is calculated by adding impact modifiers, multiplying by likelihood, and translating to a 100-point scale. The scale ranges from 0-20 as acceptable risk to 66-100 as high risk requiring immediate remediation and frequent auditing.

Uploaded by

net13ops
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Calculating Risk For Your Organization

Step 1—Financial Impact:


1. Extremely Low Impact
You have already budgeted the average cost of a breach (or more!) for your
incident response budget, or your company can stand to lose the average cost of
a breach in one fiscal year.
2. Low-Medium Impact
You will not have issues paying to cover the cost of a breach in one fiscal year.
3. Medium Impact
You can cover the cost of an average breach in one fiscal year, but you haven’t
formally budgeted for it, or it will be hard to explain/move money around.
4. Medium-High Impact
You can cover the average cost of a breach in one fiscal year, but boy, is it going
to hurt.
5. High Impact
You cannot cover the average cost of a breach in one fiscal year; you’re just
hoping the actual cost will be lower.

Step 2—Reputational Impact:


1. Extremely Low Impact
Your company is a monopoly in its space and/or does not have a direct
competitor.
2. Low-Medium Impact
Your company is unlikely to suffer a breach due to negligence, and/or you do not
have many direct competitors in your space (or your company offers something
they don’t).
3. Medium Impact
Your company may lose some business, but it is likely to recover quickly.
4. Medium-High Impact
Your company is likely to lose both customers and contracts due to a data
breach.
5. High Impact
Your company brings in most or all of its revenue via word-of-mouth,
has a limited or litigious customer base, or those customers are very likely to go
elsewhere.

Security Risk Management in a Small to Medium Business Environment


Analyze Risk For Your Organization
Step 3—Operational Impact
1. Extremely Low Impact
Your company is well-staffed with strong IT support and redundancy for all
operational tasks. If a breach occurs, you will be able to rectify it without
sacrificing resources, staffing, or a great deal of time.
2. Low-Medium Impact
Your company is well-staffed but lacks some redundancy. A security incident
would do some harm to the business operations in the short-term, but it could be
contained without long-lasting impact.
3. Medium Impact
A security incident would result in large-scale exposure of sensitive data and
would take significant time and money to recover from. Critical business
operations would be significantly disrupted.
4. Medium-High Impact
Your company has little redundancy, and an incident would do widespread harm
to critical business operations for an extended period. Your company’s yearly
budget and strategy would need to be re-evaluated.
5. High Impact
Your company has no redundancy, and an incident would result in complete loss
of control over highly sensitive data. Large losses in funding, staff, and resources
would cause critical business operations to halt.

Step 4—Likelihood
1. Very unlikely to occur. Data breaches are rare in your industry.
2. Data breaches are conceivable, but not highly likely to occur, and your company
has strong prevention measures in place. There may be one occurrence every
five years.
3. There is potential for isolated incidents to occur, and your company has some
weak points in their data security measures. There may be one occurrence every
three years.
4. Data breaches are likely to occur, and your company has only minimal prevention
measures in place.
5. Data breaches happen often in your industry. You may suffer a breach annually
or more.

Security Risk Management in a Small to Medium Business Environment


Analyze Risk For Your Organization
Step 5—Calculate Total Risk
● First, take the impact modifiers and add them together for the total impact.
○ Financial Impact = ___
○ Reputational Impact = ___
○ Operational Impact = ___
○ Total Impact = ____

● Then, take the likelihood value and multiply it by the total impact to calculate total
risk.
○ Risk = Impact x Likelihood
○ Total Risk = ___

● Finally, to translate that number to a 100-point scale, divide your total risk by 75,
then multiply it by 100.
○ Total Risk / 75 = n
○ n X 100 = ___
○ Total Scaled Risk = ___ / 100

How did your company do? See where you fall on the five-level scale:
● 0-20
Your company’s risk level is likely acceptable. Most can accept this risk and
move on.
● 21-35
Your company is at low to medium risk. Controls should be put in place and
audited every few years.
● 36-50
Your company has a medium level of risk. Remediate any weak points at the next
window of opportunity. Controls should be put in place and audited annually.
● 51-65
Your company is at medium to high risk. Halt activity until risk has been
remediated if it does not affect revenue. Controls need to be put in place and
audited quarterly.
● 66-100
Your company’s risk level is high. Halt activity until risk has been remediated.
Controls need to be put in place and audited monthly until likelihood or impact
lessens.

Security Risk Management in a Small to Medium Business Environment

You might also like