Understanding Risk Exposure

The organization's exposure to and loss expectancy from a single risk is important information.

Values specified in the likelihood and exposure fields drive the security risk scores in the application. RiskVision calculates overall risk based in part on single loss expectancy from a given risk. Risks can also be excluded from the Adjusted Risk Score.

Exposure values for Confidentiality, Integrity, and Availability (CIA) assess the impact of a risk. Likelihood specified the probability of a risk occurring. The overall risk score is calculated as likelihood x impact.

To specify a risk's exposure, likelihood, and loss expectancy: 

  1. In the RiskVision Application application, go to Content > Risks.

  2. Open the desired risk in the tree on the left.

  3.  Click the Exposure tab, then click Edit.The Edit Risk Exposure page.

  4. Enter the following parameters:

    Parameter

    Description

    Exposure

    Confidentiality

    Risk of loss of confidentiality, 0 = no risk to 10 = maximum risk

    Integrity

    Risk of loss of data integrity, 0 = no risk to 10 = maximum risk

    Availability

    Risk of loss of availability of data, 0 =no risk to 10 = maximum risk

    Likelihood

    Likelihood

    Likelihood that this risk will affect the organization, 0 = extremely unlikely to 10 = certain

    Annualized Rate of Occurrence (FRO)

    How often is the vulnerability likely to be exploited in a year

    Single Loss Expectancy

    Availability Cost

    Cost in dollars, of not having the data available

    Business Value

    Affect in hours, on business operations

    Database Corruption Cost

    Cost, in dollars, of losing data integrity

    Hardware Cost

    Cost, in dollars, of new hardware and equipment

    Replacement Cost

    Cost, in dollars, of new software

    Single Record Confidentiality Cost

    Cost, in dollars, of loss of confidentiality for a single record (to be multiplied by the number of records)

    System Confidentiality Cost

    Cost, in dollars, of loss of confidentiality for the system as a whole

    Calculation Parameters

    Exclude from Adjusted Risk Score

    Yes to exclude this risk's exposure and likelihood from the overall risk score

    Multiply by the number of users 

    Click yes to multiply loss expectancy number by the number of users affected

  5. Click Save.