Security Risk Assessment Calculator


Risk Score (Appetite):

0


Likelihood Score:

0

Impact Score:

0


Vector:
(SL:0/M:0/O:0/S:0/ED:0/EE:0/A:0/ID:0/LC:0/LI:0/LAV:0/LAC:0/FD:0/RD:0/NC:0/PV:0)
Copy this hyperlink in your riskticket to be able to revisit this assessment.

Define your Threat

There is a Threatactor (TA) who has the Skilllevel (SL), Size (S) and Opportunity (O) to exploit Vulnerability (V) and wants to harm us, because of their Motives (M).

Define your Likelihood

The Vulnerability (V) we are looking into, has an easy of discovery (ED) and ease of exploit (EE). The Threatactor (TA) may be aware (A) of this exploit and may go undetected (ID).

Define your Negative Event

Exploitation of the Vulnerability (V) by Threatactor (TA), can lead to an situation called Negative event (NE), that has an unwanted impact on our business processes (BIF) and supporting technique (TIF).

Define your Impact

In worst case scenario the Negative event (NE) can lead to an impact on our business processes (BIF) and supporting technique (TIF) where we are taking our already implemented effective measures into account.


Threat Agent Factors Tooltip icon threat agent factors
Which threatactors are involved? The goal here is to estimate the likelihood of a successful attack by this specific group of threat agents. Use the worst-case threatagent group.

Skill level Tooltip icon skill level
How technically skilled is this group of threat agents?
Motive Tooltip icon motive
How motivated is this group of threat agents to find and exploit this vulnerability?
Opportunity Tooltip icon opportunity
What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability?
Actorgroupsize Tooltip icon actor groupsize
How large is this group of threat agents?

Technical Impact Factors Tooltip icon technical impact factors
Technical impact can be broken down into factors aligned with the traditional security areas of concern: confidentiality, integrity, availability, and accountability. The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited.

Loss of Confidentiality Tooltip icon loss confidentiality
How much data could be disclosed and how sensitive is it?
Loss of Integrity Tooltip icon loss integrity
How much data could be corrupted and how damaged is it?
Loss of Availability Tooltip icon loss availability
How vital is the service(s) and how much unavailability will take place?
Loss of Accountability Tooltip icon loss accountability
Are the threat agents' actions traceable to a source or individual?

Vulnerability Factors Tooltip icon vulnerability factors
What is the vulnerability involved? The goal here is to estimate the likelihood of a particular vulnerability involved being discovered and exploited.

Ease of Discovery Tooltip icon ease of discovery
How easy is it for this group of threatagents to discover the vulnerability in question?
Ease of Exploit Tooltip icon ease of exploit
How easy is it for this group of threat agents to actually exploit this vulnerability?
Awareness Tooltip icon awareness
How well known is this vulnerability to this group of threat agents?
Intrusion Detection Tooltip icon intrusion detection
How likely is an exploit to be detected?

Business Impact Factors Tooltip icon business impact factors
The business impact stems from the technical impact, but requires a deep understanding of what is important to the company running the application. In general, you should be aiming to support your risks with business impact, particularly if your audience is executive level. The business risk is what justifies investment in fixing security problems.

Financial damage Tooltip icon financial damage
How much financial damage will result from an exploit?
Reputation damage Tooltip icon reputation damage
Would an exploit result in reputation damage that would harm the organisation and/or stakheolders?
Non-compliance Tooltip icon non-compliance
How much exposure does non-compliance introduce towards laws, regulations and supervisory bodies?
Privacy violation Tooltip icon privacy violation
How much personally identifiable information could be disclosed?

Hint:

-






Created by: Code403
Inspired by: The OWASP Risk Assessment Framework and Javier Olmedo's calculator.

internet.nl 100% compliance banner for website   internet.nl 100% compliance banner for e-mail

How is the Risk calculated?

Close  [X] 

Likelihood & Impact levels
0 to 2.9 Low
3 to 5.9 Medium
6 to 9 High


Risk Exposure Matrix
(Severity = Likelihood x Impact)
Impact HIGH Medium High Critical
MEDIUM Low Medium High
LOW Note Low Medium
LOW MEDIUM HIGH
Likelihood


Risk Appetite Matrix
Impact HIGH Generally Acceptable Unacceptable Unacceptable
MEDIUM Acceptable Generally Acceptable Unacceptable
LOW Acceptable Acceptable Generally Unacceptable
LOW MEDIUM HIGH
Likelihood

Close  [X]