7. Risk 1 = Impact x Likelihood x Business Factor
Risk 2 = Impact x Likelihood x Business Factor
.
.
Risk n = Impact x Likelihood x Business Factor
8. Risk 1 = Impact x Likelihood x Business Factor
Risk 2 = Impact x Likelihood x Business Factor
.
.
Risk n = Impact x Likelihood x Business Factor
Total Risk = Σ Risk i
9. Risk 1 = Impact x Likelihood x Business Factor
Risk 2 = Impact x Likelihood x Business Factor
.
.
Risk n = Impact x Likelihood x Business Factor
Total Risk = Σ Risk i
10. Risk 1 = Impact x Likelihood x Business Factor
Risk 2 = Impact x Likelihood x Business Factor
.
.
Risk n = Impact x Likelihood x Business Factor
Total Risk = Σ Risk i
It all started when developing the Framework for Application Security.
Present risk as a bubble. Good analogy: if it’s too big, it’s going to pop.
Size is always a constraint for the risk bubble.
Traditional risk calculation formula.
Challenged and appended formula to allow quantification for executives. The business factor is the importance of the system from a business perspective and can be expressed as percentage. A mission critical system will thus have a business factor equal to one.
Each system has multiple vulnerabilities, each of them carrying an associated risk.
The total risk of the system is the sum of individual risks.
Individual risks have different severities. In this slide, risk 1 is high (red label), risk two is medium (orange label) and risk n is low (yellow label)
The total risk inherits the highest severity of individual risks.
We can now define the risk appetite based on the formula previously presented.
This is the acceptable bubble. It has a size of 30 risk points and the maximum accepted severity is medium.
Scenario 1: compliant. The risk value is within acceptable limits (25<30) and the maximum severity among individual risks is low.
Scenario 2: non-compliant. Even though the numeric value of the total risk is within the risk appetite statement(20<30), the severity of the total risk is high which is unacceptable.
Scenario 3: non-compliant. The numeric value of the total risk is greater than the risk appetite statement (35>30)
Building a meaningful risk visualization. Each bubble represents a system.
Improvement 1: add system names to quickly identify them
Improvement 2: add a visual indicator of non-compliancy
Improvement 3: add a timeline indicator to show the last assessment performed to measure risk.
Take away:
Educate people on information security risks and mitigations.
Use the risk as a bubble analogy for a more clear message
Build a meaningful visualization to provide an overview of the total risk.