Assigning impact and likelihood values in an asset-based information security risk assessment

In ISO27001 and information security terms, when an asset is compromised, the confidentiality, availability and/or integrity (CIA) of the information held by the asset could be affected.

When conducting a risk assessment, values for the likelihood and impact of a risk affecting an asset should be assigned to each of the asset’s CIA elements.

Levels of impact and likelihood should be set for individual assets at the asset identification stage. These impact scales should be agreed with the organisation’s governance team prior to embarking on the risk assessment.  The risk acceptance criteria should also be determined in the same manner.

The impact scales could be anything that you deem appropriate for quantifying the consequence of the risk. Let’s use an example used by Tony Drewitt during our recent vsRisk webinar.

The asset used in this example was ‘management laptops’.   The impact scale ranged from ‘one’ to ‘five’, with ‘one’ referring to an impact value of US$50,000 or less, and ‘five’ having an impact value of US$1,500,000 or more.

The impact value assigned to the confidentiality of data being compromised on management laptops was set at ‘two’, which reflects an impact value of $50,000 to $150,000 in damages (in the event that the laptops are compromised).

Although the reason for a high impact value to confidentiality needs no explanation – information stored on management laptops can often be sensitive in nature – it is useful for the risk assessor to add some comments at this stage to justify the impact value of this asset. This will help them explain the rationale for these values when the time comes to report on the risk assessment.  The risk assessor may not remember all the reasons for assigning specific impact values after having gone through several hundred assets!

For both the availability and integrity of data, the impact in the example was set at ‘one’ (less than $50,000). The justification was that the company has a strong network architecture, a configuration management database (CMD) that includes all the company’s asset information, and a frequent data back-up process.

Additional comments can be added to elaborate on the asset; for instance, the fact that there are 25 management laptops that are kept in the office overnight.

Once the impact values have been assigned, the risk assessor can identify the various risks (or threats and vulnerabilities) to the asset, whether the risk would affect either the C, I or A of the asset, and then follow a process of selecting controls that will reduce the risk to an acceptable level (below the risk acceptance threshold).

Although the impact values for the asset (management laptops) had already been set during the initial asset identification stage, they do not need to be rigid. The impact values for each asset can be adjusted to suit the particular risk to account for specific incidents or risks.

The same process should be repeated for assigning likelihood values to the asset. In the example used, level ‘one’ implies a likelihood of the risk occurring no more frequently than once every 10 years, whereas a ‘five’ suggests a likelihood of it occurring at least once per year.

Unlike impact, likelihood does not change for each of the confidentiality, availability and integrity elements of the asset.  This is because the likelihood of the risk occurring does not change (the risk will occur regardless of these elements), but the damage it can do varies according to each of the CIA elements.

Watch a recording of the vsRisk webinar to find out more

Leave a Reply

Your email address will not be published. Required fields are marked *