The Risk Assessment Process · The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results;

http://pralab.diee.unica.it

The Risk Assessment Process

75


Main sources

The context: risk management frameworks and guidelines– ISO 31000:2018 Risk management – Guidelines

(not focused on information security)– ISO 27005:2018 Information security risk management– NIST SP 800-39 Managing information security risk

Specific risk assessment guidelines– NIST SP 800-30 Rev. 1 Guide for conducting risk assessments (2012)

https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final– IEC/ISO 31010:2019 Risk management – Risk assessment techniques

https://www.iso.org/standard/72140.html

76

https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

https://www.iso.org/standard/72140.html


The context: ISO risk management framework

77

ISO 31000:2018 Risk management – Guidelines(not focused on information security)

ISO 27005:2018 Information security risk management

Risk assessment


The context: NIST risk management framework

78

Risk assessment

NIST SP 800-39 Managing information security risk

describes the environment in which

risk-based decisions are made to produce a risk management strategy



General guidelines on the risk assessment stepfrom NIST SP 800-39 Managing information security risk (ch. 3)

– Risk assessment identifies, prioritizes, and estimates risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems

– Risk assessments use the results of threat and vulnerabilityassessments to identify and evaluate risk in terms of likelihood of occurrence and potential adverse impact (i.e., magnitude of harm) to organizations, assets, and individuals

– Risk assessments can be conducted at any of the risk management tiers [organization, mission/business processes, information systems] with different objectives and utility of the information produced

79



80

Main activities1. threat and vulnerability identification,

including threat likelihood and impact2. risk determination, as a function of likelihood and impact

Threat

Vulnerability

Assetsand context

exploits

exposed by

causingImpact

Likelihood

risk level

NIST SP 800-39 Managing information security risk



Some guidelines from NIST SP 800-39 (ch. 3)– Threat Sources cause events having undesirable consequences or

adverse impacts on organizational operations and assets, individuals, other organizations, and the Nation: (i) hostile cyber/physical attacks; (ii) human errors of omission or commission; (iii) natural and man-made disasters.

– Vulnerabilities can be associated with exploitable weakness or deficiencies in the three organizational tiers: (i) the hardware, software, or firmware components that compose organizational information systems (or the security controls employed within or inherited by those systems); (ii) mission/business processes and enterprise architectures (including embedded information security architectures) implemented by organizations; (iii) organizational governance structures or processes.

(cont.)

81



(cont.)– Impacts can refer to organizational operations (i.e., mission, functions,

image, and reputation), organizational assets, individuals, other organizations, and the Nation.

– Likelihood can be determined using a variety of approaches• the likelihood that a threat event will occur and that, if it occurs, it will result in

adverse effects, can be treated as separate factors, or in combination• qualitative risk assessments is preferred under a high degree of uncertainty• either threat assumptions or actual threat data can be used (e.g., historical

data on cyber attacks or on earthquakes, specific information on adversary capabilities, intentions, and targeting); empirical data can be used, if available (e.g., types of cyber attacks, cyber attack trends, frequencies of attacks)

• likelihood can refer to (i) worst case (i.e., attack will be successful unless strong, objective reasons to presume otherwise); (ii) best case (i.e., attack will not be successful unless specific, credible information to the contrary); or (iii) something in between best and worst cases (e.g., the most probable case)

82


NIST SP 800-30 Guide for conducting risk assessments

83

Purpose: to provide guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39• how to carry out the steps in the risk

assessment process• how risk assessments and other

organizational risk management processes complement and inform each other

• identifying specific risk factors to monitor on an ongoing basis

Contents:• summary of the risk management process• the risk assessment process• resources: glossary; information on threat

sources, event and likelihood; vulnerabilities; impact; risk determination and response


NIST SP 800-30 Guide for conducting risk assessments

• Concepts and principles similar to and consistent with ISO and IEC standards

• Flexible guidelines – no specific requirements on– formality, rigor, level of detail of the particular risk assessment– methodologies, tools, and techniques – format and content of assessment results and reporting mechanisms

• Cautionary note: risk assessments are often not precise instruments of measurement, and reflect– the limitations of the specific assessment methodologies, tools, and

techniques employed– subjectivity, quality, and trustworthiness of the data used– the interpretation of assessment results– the skills and expertise of those conducting the assessments

84


NIST SP 800-30 – Risk framing components

85

defines risk factors and their

relationships

specifies the range of values of risk factors and how to combine

them to evaluate risk (e.g., quantitative, qualitative, or semi-qualitative approach)

describes how combinations of risk factors are identified/analyzed

(e.g., threat-oriented, asset/impact-oriented, or

vulnerability-oriented approach)



Risk model: the main factors– threats (e.g. sources and events): (i) hostile cyber or physical attacks;

(ii) human errors of omission or commission; (iii) structural failures of organization-controlled resources (e.g., hardware, software, environmental controls); (iv) natural and man-made disasters, accidents, and failures beyond the control of the organization(existing taxonomies can be used to identify relevant threats)

– vulnerabilities: weaknesses in (i) information systems, system security procedures, internal controls, or implementation that could be exploited by a threat source (often related to unapplied or weak security controls); (ii) organizational governance structures (e.g., lack of effective risk management strategies and adequate risk framing, poor intra-agency communications)

Threats and vulnerabilities can be combined into threat scenarios(cont.)

86



(cont.)– predisposing conditions affect (increase or decrease) the likelihood

that threat events, once initiated, result in adverse impacts (e.g., location of a facility in a flood-prone region, information systems with complex external network connectivity)

– likelihood of occurrence is related to the probability that a given threat is capable of exploiting a given vulnerability; it depends on the likelihood of threat event occurrence and of the corresponding impact• for adversarial threats likelihood assessment depends on: (i) adversary

intent; (ii) adversary capability; (iii) adversary targeting• for other threats it is estimated based on historical evidence, empirical

data, or other factors – impact: magnitude of harm that can result from the consequences of

compromising confidentiality, integrity or availability

87



88

Example of a risk model including the previous key risk factors


NIST SP 800-30 – Assessment approaches

89

Quantitative

• Use of numbers (e.g., probability values for likelihood)

• Supports cost-benefit analyses of alternative risk responses

• Meanings and proportionality are maintained inside and outside the assessment context

• Issues: reliability, significance, effort required

Qualitative

• Non-numerical categories or levels (e.g., low, medium, high)

• Useful to supportcommunicating risk results to decision makers

• Understanding categories or levels requires clear examples

Semi-quantitative

• Use of bins(e.g., 0–15, 16–35, 36–70, 71–85, 86–100), scales (e.g., 1–10),or representative numbers whose values and meanings are not maintained in other contexts

• Expert judgment is crucial in assigning values

Risk, and its contributing factors, can be assessed in a variety of ways, depending on organizational culture and attitudes toward the concepts of uncertainty and risk communication, and on the available information


NIST SP 800-30 – Analysis approach

90

Threat-oriented

1)Identification of threat sources and events

2)Development of threat scenarios

3)Identification of vulnerabilities

Asset/impact-oriented

1)Identification of impacts or consequences of concern and critical assets

2)Identification of threat events that could lead to and/or threat sources that could seek those impacts or consequences

Vulnerability-oriented

1)Identification of predisposing conditions or exploitable weaknesses/deficiencies in organizational information systems or its environments

2)Identification of threat events that could exercise those vulnerabilities together with possible consequences

Analysis approach differ in the orientation or starting point of the risk assessment, level of detail in the assessment, and how risks due to similar threat scenarios are treated


NIST SP 800-30 – Application of risk assessments

91

supporting organizational strategies, policies, guidance,

and processes for managing risk

supporting the determination of mission/business process protection and

resiliency requirements, and the allocation of those requirements to the enterprise

architecture as part of mission/business segments

traditional risk assessments focus at the Tier 3 level, and tend to

overlook other significant risk factors

that may be more appropriately assessed at

higher levels


NIST SP 800-30 – The risk assessment process

Special Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________

CHAPTER 3 PAGE 23

CHAPTER THREE

THE PROCESS CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS

his chapter describes the process of assessing information security risk including: (i) a high-level overview of the risk assessment process; (ii) the activities necessary to prepare for risk assessments; (iii) the activities necessary to conduct effective risk assessments;

(iv) the activities necessary to communicate the assessment results and share risk-related information; and (v) the activities necessary to maintain the results of risk assessments on an ongoing basis. The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain the assessment.44 Each step is divided into a set of tasks. For each task, supplemental guidance provides additional information for organizations conducting risk assessments. Risk tables and exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional, more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the risk assessment process and highlights the specific tasks for conducting the assessment.

FIGURE 5: RISK ASSESSMENT PROCESS

43 The intent of the process description in Chapter Three is to provide a common expression of the essential elements of an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other procedures can be implemented if organizations choose to do so, consistent with the intent of the process description. 44 The four-step risk assessment process described in this publication is consistent with the general risk assessment process described in NIST Special Publication 800-39. The additional steps and tasks result from the need to provide more detailed guidance to effectively carry out the specific activities associated with risk assessments.

T

Step 1: Prepare for Assessment

Derived from Organizational Risk Frame

Step 2: Conduct Assessment Expanded Task View

Determine Likelihood of Occurrence

Identify Threat Sources and Events

Identify Vulnerabilities and Predisposing Conditions

Determine Magnitude of Impact

Determine Risk

Step

3: C

omm

unic

ate

Res

ults

Step

4: M

aint

ain

Ass

essm

ent

92


NIST SP 800-30 – The risk assessment process

93

Comparison with ISO 27005:2018


CHAPTER 3 PAGE 23

CHAPTER THREE






T








Determine Risk

Step

3: C

omm

unic

ate

Res

ults

Step

4: M

aint

ain

Ass

essm

ent


Step 1: preparing for the risk assessment

Tasks1-1 Identify the purpose of the assessment1-2 Identify the scope1-3 Identify the assumptions and constraints associated with the assessment1-4 Identify the sources of information to be used as inputs to the assessment1-5 Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed

94



TASK 1-1: Identifying the purpose– what information is it intended to produce?– what decisions is it intended to support?– how to capture and present information produced?

TASK 1-2: Identifying the scope– organizational applicability: organization tiers and parts affected – time frame supported: how long will the results be relevant? what

influences the need to update the assessment?– architectural/technological considerations: specific technologies,

mission/businness segment architecure, organizational information systems and its environment

95



TASK 1-3: Identifying assumptions and constraints– threats sources: types of sources to be considered, identification process– threat events: types of threat events to be considered, required level of

detail of their description– vulnerabilities and predisposing conditions: types of vulnerabilities and

predisposing conditions to be considered, required level of detail of their description

– likelihood determination process– impacts to organizational operations (missions, functions, image, and

reputation) and assets, individuals, other organizations– risk tolerance and uncertainty: what levels and types of risk are

acceptable? reasons for uncertainty about risk factors– analytic approach: assessment approaches (quantitative, qualitative,

semi-quantitative) and analysis approaches (threat-oriented, asset/impact-oriented, vulnerability-oriented)

96



TASK 1-4: Identifying the sources of information about threats, vulnerabilities and impacts

– threats and vulnerabilities: internal sources (e.g., risk and vulnerability assessment reports, incident reports, security logs, trouble tickets, monitoring results) and external sources (e.g., cross-community organizations like CERT, research and non-governmental organizations), etc.

– predisposing conditions: descriptions of information systems, environments of operation, shared services, common infrastructures, enterprise architecture, etc.

– impact information: mission/business impact analyses, information system component inventories, security categorizations, etc.

97



TASK 1-5: Identifying the risk model and analytic approach– risk models include, or can be translated into, the risk factors: threat,

vulnerability, impact, likelihood, and predisposing condition– assessment approach: quantitative, qualitative, semi-quantitative– analysis approach: threat-oriented, asset/impact-oriented,

vulnerability-oriented– definition, or selection of, existing assessment scales, annotated with

organizationally-meaningful examples for specific values– defining algorithms (e.g., formulas, tables, rules) for combining risk

factors

98


Step 2: conducting the risk assessment

99


CHAPTER 3 PAGE 23

CHAPTER THREE






T








Determine Risk

Step

3: C

omm

unic

ate

Res

ults

Step

4: M

aint

ain

Ass

essm

ent

Objective: to produce a list of information security risks that can be prioritized by risk level and used to inform risk response decisions– iterations among the tasks is necessary and expected– task ordering can be modified

tasks



TASK 2-1: Identify and characterize threat sources of concern– adversarial threats: capability, intent and targeting characteristics– non-adversarial threats: range of effects

An exemplary threat source taxonomy that can be used to identifyand characterize threat sources (only the first two levels are shown here)

100

ADVERSARIAL ACCIDENTAL STRUCTURAL ENVIRONMENTAL

Group

Nation-State

Individual

Organization

User

Privileged user/administrator

IT equipment

Environmentalcontrols

Software

Natural or man-madedisaster

Unusual natural event

Infrastructurefailure/outage

THREAT SOURCE



TASK 2-2: Identify threat events– potential threat events that are relevant to the organization (depends

on organizational risk tolerance)– threat sources that could initiate such events

Representative examples of adversarial and non-adversarial threat events

101

Perform reconnaissance and gather information, e.g., sniffing of exposed

networks

Craft or create attack tools, e.g., phishing attacks

Deliver/insert/install malicious capabilities, e.g., known malware to internal information systems (virus

via email)

Exploit and compromise, e.g., poorly configured or

unauthorized information systems exposed to the

Internet

Conduct an attack, e.g., Distributed Denial of Service

(DDoS)

Achieve results, e.g., obtain sensitive information via

exfiltration

Maintain a presence or set of capabilities,

e.g., obfuscate adversary actions

Coordinate a campaign, e.g., cyber attacks using external (outsider), internal (insider), and supply chain (supplier)

attack vectors



TASK 2-3: Identify and select relevant vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts (including the assessment of the severity of each vulnerability)

102

INFORMATION-RELATED– Classified National Security Information– Compartments– Controlled Unclassified Information– Personally Identifiable Information– Special Access Programs– Agreement-Determined

- NOFORN- Proprietary

TECHNICAL– Architectural

- Compliance withtechnical standards

... – Functional

- Networked multiuser - Single-user...

OPERATIONAL / ENVIRONMENTAL– Mobility

...– Population with physical and/or logical access to components of the information system, mission/business process, EA segment

...

Taxonomy of predisposing conditions



TASK 2-4: Determining the likelihood that threat events of concern result in adverse impacts

depends on:– characteristics of the threat sources that could initiate the events (for

adversarial threats, including capability, intent and targeting), or that make the event occur (non-adversarial threats)

– vulnerabilities/predisposing conditions identified– organizational susceptibility reflecting the safeguards/

countermeasures planned or implemented

103



104

The overall likelihoodof a threat event

is a combination of:

Combining algorithmsdepend on:

• likelihood of event occurrence (e.g., due to human error or natural disaster) or initiation (by an adversary)

• likelihood of adverseimpacts resulting from initiation or occurrence

• organizational attitudes toward risk (overall risk tolerance, uncertainty tolerance)

• specific tolerances toward uncertainty in different risk factors

• organizational weighting of risk factors


Step 2: conducting the risk assessmentTASK 2-5: Determining the adverse impacts from threat events of concern

Factors to consider:– characteristics of the threat sources that could initiate the events– vulnerabilities/predisposing conditions identified– susceptibility reflecting the safeguards/countermeasures planned or

implemented to impede such eventsDescription of adverse impacts in terms of potential harm to:– organizational operations– assets– individuals– other organizationsMay involve identification of assets or potential targets of threat sources – information resources (e.g., information, data repositories, information

systems, applications, information technologies, communications links)– people– physical resources (e.g., buildings, power supplies)

105



TASK 2-6: Determining the risk to the organization from threat events of concern

Risk level is a function of:– impact resulting from the events– likelihood of the events occurringRisks at the same level or with similar scores can be further prioritized.Information on uncertainties should be included, e.g., arising from:– missing information– subjective determinations– assumptions made

106


Conducting the risk assessment: overview

107

Threat sources Threat events Vulnerabilities

severitycapability

impacttargeting

effects

relevance

likelihood of initiation/occurrence

likelihood of adverse impact

impactlikelihood

risk

adversarialnon-adversarial

cause exploit

risk is always a combinationof likelihood and impact


The Risk Assessment ProcessQualitative and quantitative approaches

108


Risk assessment approaches

109

Quantitative

• Use of numbers (e.g., probability values for likelihood)

• Supports cost-benefit analyses of alternative risk responses

• Meanings and proportionality are maintained inside and outside the assessment context

• Issues: reliability, significance, effort required

Qualitative

• Non-numerical categories or levels (e.g., low, medium, high)

• Useful to supportcommunicating risk results to decision makers

• Understanding categories or levels requires clear examples

Semi-quantitative

• Use of bins(e.g., 0–15, 16–35, 36–70, 71–85, 86–100), scales (e.g., 1–10),or representative numbers whose values and meanings are not maintained in other contexts

• Expert judgment is crucial in assigning values

NIST SP 800-30 guidelines identify three kinds of risk assessment approaches to evaluate each risk factor (likelihood, impact, etc.)and risk itself



According to NIST SP 800-30, the choice, adaptation or definition of a specific risk assessment approach is part of the preparation step, and is driven by different organizational considerations, e.g.:

– the quality and quantity of information available on threats, vulnerabilities and impacts

– the specific orientation carrying the highest priority for organizations– the availability of analysis tools emphasizing certain orientations

In particular, quantitative approaches are the most precise but also most demanding ones in terms of information amount and quality, effort, etc. (e.g., formal proabilistic models are required to rigorously assess likelihood in terms of probability).In the computer security field developing suitable quantitative approaches is still an open issue, and qualitative approaches are mostly used.

110



No specific guideline on quantitative approaches are given by NIST SP 800-30 for information security.

Guidelines and examples are given instead for qualitative risk assessment (and to a smaller extent for semi-quantitativeassessment) in terms of

– exemplar assessment scales for risk factors and risk level– exemplar combining rules for risk factors

111


Qualitative risk assessmentNon-numerical categories or levels are used for each risk factor and for the final risk level

– basic categories: low, medium, high– more refined categories can be used, e.g.: very low, low, medium, high, very high

This kind of assessment of the risk level is often suitable enough for decision makers, since it allows risk prioritization.

Main issues: how should one define the meaning of "low", "medium", etc.? How can the risk level be assessed for a given threat as a combination of its likelihood (e.g., low) and impact (e.g., high)? For instance:

– when should the likelihood of a given threat exploiting a specific vulnerability of a given asset be considered "low", or "medium", etc.?

– when should the impact of such an event be considered "low", or "medium", etc.?– when should the corresponding risk be considered "low", etc.?

Detailed guidelines are provided by NIST SP 800-30 on this matter.

112


Semi-quantitative risk assessment

Numerical values are used, e.g.:– bins, e.g.: 0–15, 16–35, 36–70, 71–85, 86–100– scales, e.g., 1, 2, 3, ..., 10– other representative numbers

Such values do not have any "phisical" meaning in a specific unit of measurement (i.e., they do not refer to monetary loss in some currency, or to percentages, etc.): their choice should be guided by expert judgement.

Some examples are given by NIST SP 800-30 in terms of a possible match between qualitative and semi-quantitative values.

113


Overview of the risk assessment process

114

Threat sources Threat events Vulnerabilities

severitycapability

impacttargeting

effects

relevance



impactlikelihood

risk

adversarialnon-adversarial

cause exploit

How to assess the risk factorsand the risk level, i.e., each element in the ovals?


NIST SP 800-30 guidelines on assessment scales

Exemplar assessment scales and combining rules are reported in the following from NIST SP 800-30, for qualitative and semi-quantitative risk assessment approaches.

Nota bene: examples provided by NIST SP 800-30 can be used as a starting point with appropriate tailoring to adjust for any organization-specific conditions.

115


Exemplary assessment scale

116

Adversary capability

Threat sources

capabilityimpact

targeting

adversarial



117

Threat sources

capabilityimpact

targeting

adversarial

Adversary intent



118Adversary targeting

Threat sources

capabilityimpacttargeting

adversarial



119


APPENDIX D PAGE D-4

TABLE D-6: ASSESSMENT SCALE – RANGE OF EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES

Qualitative Values

Semi-Quantitative Values Description

Very High 96-100 10 The effects of the error, accident, or act of nature are sweeping, involving almost all of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure].

High 80-95 8 The effects of the error, accident, or act of nature are extensive, involving most of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], including many critical resources.

Moderate 21-79 5 The effects of the error, accident, or act of nature are wide-ranging, involving a significant portion of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], including some critical resources.

Low 5-20 2 The effects of the error, accident, or act of nature are limited, involving some of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], but involving no critical resources.

Very Low 0-4 0 The effects of the error, accident, or act of nature are minimal, involving few if any of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments, common infrastructure, or support services; Tier 1: organization/governance structure], and involving no critical resources.

TABLE D-7: TEMPLATE – IDENTIFICATION OF ADVERSARIAL THREAT SOURCES

Identifier Threat Source Source of Information

In Scope

Capability Intent Targeting

Organization-defined

Table D-2 and Task 1-4 or

Organization-defined Yes / No

Table D-3 or


Table D-4 or


Table D-5 or


TABLE D-8: TEMPLATE – IDENTIFICATION OF NON-ADVERSARIAL THREAT SOURCES

Identifier Threat Source Source of Information

In Scope

Range of Effects


Table D-2 and Task 1-4 or

Organization-defined Yes / No

Table D-6 or


Threat sources

effects

non-adversarial

Range of effects of non-adversarial threat sources



120

Threat events

relevanceSpecial Publication 800-30 Guide for Conducting Risk Assessments ________________________________________________________________________________________________

APPENDIX E PAGE E-8

TABLE E-4: RELEVANCE OF THREAT EVENTS

Value Description

Confirmed The threat event or TTP has been seen by the organization.

Expected The threat event or TTP has been seen by the organization’s peers or partners.

Anticipated The threat event or TTP has been reported by a trusted source.

Predicted The threat event or TTP has been predicted by a trusted source.

Possible The threat event or TTP has been described by a somewhat credible source.

N/A The threat event or TTP is not currently applicable. For example, a threat event or TTP could assume specific technologies, architectures, or processes that are not present in the organization, mission/business process, EA segment, or information system; or predisposing conditions that are not present (e.g., location in a flood plain). Alternately, if the organization is using detailed or specific threat information, a threat event or TTP could be deemed inapplicable because information indicates that no adversary is expected to initiate the threat event or use the TTP.

TABLE E-5: TEMPLATE – IDENTIFICATION OF THREAT EVENTS

Identifier Threat Event Source of Information

Threat Source Relevance


Table E-2, Table E-3, Task 1-4 or


Table D-7, Table D-8 or


Table E-4 or


Relevance of threat events



121Severity of vulnerabilities

Vulnerabilities

severity



122

Likelihood of an adversarial threat event initiation



overall likelihood



123


APPENDIX G PAGE G-2

TABLE G-2: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT INITIATION (ADVERSARIAL)

Qualitative Values


Very High 96-100 10 Adversary is almost certain to initiate the threat event.

High 80-95 8 Adversary is highly likely to initiate the threat event.

Moderate 21-79 5 Adversary is somewhat likely to initiate the treat event.

Low 5-20 2 Adversary is unlikely to initiate the threat event.

Very Low 0-4 0 Adversary is highly unlikely to initiate the threat event.

TABLE G-3: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT OCCURRENCE (NON-ADVERSARIAL)

Qualitative Values


Very High 96-100 10 Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a year.

High 80-95 8 Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a year.

Moderate 21-79 5 Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times a year.

Low 5-20 2 Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more than once every 10 years.

Very Low 0-4 0 Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10 years.

TABLE G-4: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT RESULTING IN ADVERSE IMPACTS

Qualitative Values


Very High 96-100 10 If the threat event is initiated or occurs, it is almost certain to have adverse impacts.

High 80-95 8 If the threat event is initiated or occurs, it is highly likely to have adverse impacts.

Moderate 21-79 5 If the threat event is initiated or occurs, it is somewhat likely to have adverse impacts.

Low 5-20 2 If the threat event is initiated or occurs, it is unlikely to have adverse impacts.

Very Low 0-4 0 If the threat event is initiated or occurs, it is highly unlikely to have adverse impacts.

TABLE G-5: ASSESSMENT SCALE – OVERALL LIKELIHOOD

Likelihood of Threat Event Initiation or Occurrence

Likelihood Threat Events Result in Adverse Impacts

Very Low Low Moderate High Very High Very High Low Moderate High Very High Very High

High Low Moderate Moderate High Very High

Moderate Low Low Moderate Moderate High

Low Very Low Low Low Moderate Moderate

Very Low Very Low Very Low Low Low Low

Likelihood of a non-adversarial threat event occurrence



overall likelihood



124

Llikelihood of threat event resulting in adverse impact



overall likelihood


Likelihood combination

The overall likelihood of a threat event is a combination of– likelihood of event occurrence (non-adversarial) or initiation

(adversarial)– likelihood of adverse impacts resulting from initiation or occurrence

Examples of likelihood combining rules from NIST SP 800-30– use the maximum of the two likelihood values– use the minimum of the two likelihood values– consider likelihood of initiation/occurrence only, assuming that

adverse impacts are certain– consider likelihood of impact only, assuming that if adverse impacts

are possible, adversaries will initiate the events– take a weighted average of the two likelihood values (only for

quantitative or semi-quantitative assessment approaches)

125



126

Overall likelihood of a threat event



overall likelihood



127

Impact of a threat event (cont.)

impact



128Impact of a threat event (cont.)

impact



129Level of risk

risk


Level of risk: the risk matrix

130

Level of risk as a combination of likelihood and impact of threat events

impactoverall likelihood

risk



131

LikelihoodLevel of impact

Very low Low Moderate High Very highVery high Very low Low Moderate High Very high

High Very low Low Moderate High Very highModerate Very low Low Moderate Moderate High

Low Very low Low Low Low ModerateVery low Very low Very low Very low Low Low

The risk matrix is often represented as a heat map for ease of interpretation by decision makers



132

LikelihoodLevel of impact

Very low Low Moderate High Very highVery high Very low Low Moderate High Very high

High Very low Low Moderate High Very highModerate Very low Low Moderate Moderate High

Low Very low Low Low Low ModerateVery low Very low Very low Very low Low Low (?)

The risk matrix is often represented as a heat map for ease of interpretation by decision makers

"Black swan" events

Documents

The Risk Assessment Process · The risk assessment process43 is composed of four steps: (i) prepare for the assessment; (ii) conduct the assessment; (iii) communicate assessment results;