03RM - Riskassessment 1

The Risk Assessment Process
http://pralab.diee.unica.it 75
Main sources
The context: risk management frameworks and guidelines
– ISO 31000:2018 Risk management – Guidelines
(not focused on information security)
– ISO 27005:2018 Information security risk management
– NIST SP 800-39 Managing information security risk
Specific risk assessment guidelines
– NIST SP 800-30 Rev. 1 Guide for conducting risk assessments (2012)
https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
– IEC/ISO 31010:2019 Risk management – Risk assessment techniques
https://www.iso.org/standard/72140.html
The context: ISO risk management framework
Risk assessment
ISO 31000:2018 Risk management – Guidelines ISO 27005:2018 Information security

(not focused on information security) risk management
The context: NIST risk management framework
Risk assessment
describes the
environment in which
risk-based decisions are
made to produce a risk
management strategy
NIST SP 800-39 Managing information security risk
General guidelines on the risk assessment step

from NIST SP 800-39 Managing information security risk (ch. 3)
– Risk assessment identifies, prioritizes, and estimates risk to
organizational operations (i.e., mission, functions, image, and
reputation), organizational assets, individuals, other organizations, and
the Nation, resulting from the operation and use of information
systems
– Risk assessments use the results of threat and vulnerability
assessments to identify and evaluate risk in terms of likelihood of
occurrence and potential adverse impact (i.e., magnitude of harm) to
organizations, assets, and individuals
– Risk assessments can be conducted at any of the risk management
tiers [organization, mission/business processes, information systems]
with different objectives and utility of the information produced
NIST SP 800-39 Managing information security risk
Threat Likelihood
exploits
Vulnerability risk level

exposed by
Assets
Impact
and context causing
Main activities
1. threat and vulnerability identification,
including threat likelihood and impact
2. risk determination, as a function of likelihood and impact
Some guidelines from NIST SP 800-39 (ch. 3)

– Threat Sources cause events having undesirable consequences or
adverse impacts on organizational operations and assets, individuals,
other organizations, and the Nation: (i) hostile cyber/physical attacks;
(ii) human errors of omission or commission; (iii) natural and man-
made disasters.
– Vulnerabilities can be associated with exploitable weakness or
deficiencies in the three organizational tiers: (i) the hardware,
software, or firmware components that compose organizational
information systems (or the security controls employed within or
inherited by those systems); (ii) mission/business processes and
enterprise architectures (including embedded information security
architectures) implemented by organizations; (iii) organizational
governance structures or processes.
(cont.)
(cont.)
– Impacts can refer to organizational operations (i.e., mission, functions,
image, and reputation), organizational assets, individuals, other
organizations, and the Nation.
– Likelihood can be determined using a variety of approaches
• the likelihood that a threat event will occur and that, if it occurs, it will result in
adverse effects, can be treated as separate factors, or in combination
• qualitative risk assessments is preferred under a high degree of uncertainty
• either threat assumptions or actual threat data can be used (e.g., historical
data on cyber attacks or on earthquakes, specific information on adversary
capabilities, intentions, and targeting); empirical data can be used, if available
(e.g., types of cyber attacks, cyber attack trends, frequencies of attacks)
• likelihood can refer to (i) worst case (i.e., attack will be successful unless
strong, objective reasons to presume otherwise); (ii) best case (i.e., attack will
not be successful unless specific, credible information to the contrary); or (iii)
something in between best and worst cases (e.g., the most probable case)
NIST SP 800-30 Guide for conducting risk assessments
Purpose: to provide guidance for conducting

risk assessments of federal information
systems and organizations, amplifying the
guidance in Special Publication 800-39
• how to carry out the steps in the risk
assessment process
• how risk assessments and other
organizational risk management processes
complement and inform each other
• identifying specific risk factors to monitor
on an ongoing basis
Contents:
• summary of the risk management process
• the risk assessment process
• resources: glossary; information on threat
sources, event and likelihood;
vulnerabilities; impact; risk determination
and response
NIST SP 800-30 Guide for conducting risk assessments
• Concepts and principles similar to and consistent with ISO

and IEC standards
• Flexible guidelines – no specific requirements on
– formality, rigor, level of detail of the particular risk assessment
– methodologies, tools, and techniques
– format and content of assessment results and reporting mechanisms
• Cautionary note: risk assessments are often not precise
instruments of measurement, and reflect
– the limitations of the specific assessment methodologies, tools, and
techniques employed
– subjectivity, quality, and trustworthiness of the data used
– the interpretation of assessment results
– the skills and expertise of those conducting the assessments
NIST SP 800-30 – Risk framing components
specifies the range of values of describes how combinations of

defines risk factors risk factors and how to combine risk factors are identified/analyzed
and their them to evaluate risk (e.g., (e.g., threat-oriented,
relationships quantitative, qualitative, or asset/impact-oriented, or
semi-qualitative approach) vulnerability-oriented approach)
Risk model: the main factors
– threats (e.g. sources and events): (i) hostile cyber or physical attacks;
(ii) human errors of omission or commission; (iii) structural failures of
organization-controlled resources (e.g., hardware, software,
environmental controls); (iv) natural and man-made disasters,
accidents, and failures beyond the control of the organization
(existing taxonomies can be used to identify relevant threats)
– vulnerabilities: weaknesses in (i) information systems, system security
procedures, internal controls, or implementation that could be
exploited by a threat source (often related to unapplied or weak
security controls); (ii) organizational governance structures (e.g., lack
of effective risk management strategies and adequate risk framing,
poor intra-agency communications)
Threats and vulnerabilities can be combined into threat scenarios
(cont.)
(cont.)
– predisposing conditions affect (increase or decrease) the likelihood
that threat events, once initiated, result in adverse impacts (e.g.,
location of a facility in a flood-prone region, information systems with
complex external network connectivity)
– likelihood of occurrence is related to the probability that a given
threat is capable of exploiting a given vulnerability; it depends on the
likelihood of threat event occurrence and of the corresponding impact
• for adversarial threats likelihood assessment depends on: (i) adversary
intent; (ii) adversary capability; (iii) adversary targeting
• for other threats it is estimated based on historical evidence, empirical
data, or other factors
– impact: magnitude of harm that can result from the consequences of
compromising confidentiality, integrity or availability
Example of a risk model including the previous key risk factors
NIST SP 800-30 – Assessment approaches
Risk, and its contributing factors, can be assessed in a variety of ways,
depending on organizational culture and attitudes toward the concepts
of uncertainty and risk communication, and on the available information
Quantitative Qualitative Semi-quantitative
• Use of numbers (e.g., • Non-numerical • Use of bins

probability values for categories or levels (e.g., 0–15, 16–35, 36–
likelihood) (e.g., low, medium, 70, 71–85, 86–100),
• Supports cost-benefit high) scales (e.g., 1–10),
analyses of alternative • Useful to support or representative
risk responses communicating risk numbers whose values
• Meanings and results to decision and meanings are not
proportionality are makers maintained in other
maintained inside and • Understanding contexts
outside the categories or levels • Expert judgment is
assessment context requires clear crucial in assigning
• Issues: reliability, examples values
significance, effort
required
NIST SP 800-30 – Analysis approach
Analysis approach differ in the orientation or starting point of the risk
assessment, level of detail in the assessment, and how risks due to
similar threat scenarios are treated
Threat-oriented Asset/impact-oriented Vulnerability-oriented
1)Identification of threat 1)Identification of impacts 1)Identification of

sources and events or consequences of predisposing conditions or
2)Development of threat concern and critical assets exploitable
scenarios 2)Identification of threat weaknesses/deficiencies
3)Identification of events that could lead to in organizational
vulnerabilities and/or threat sources that information systems or its
could seek those impacts environments
or consequences 2)Identification of threat
events that could exercise
those vulnerabilities
together with possible
consequences
NIST SP 800-30 – Application of risk assessments
supporting the determination of
supporting organizational mission/business process protection and
strategies, policies, guidance, resiliency requirements, and the allocation of
those requirements to the enterprise
and processes for managing risk architecture as part of mission/business
segments
traditional risk
assessments focus at the
Tier 3 level, and tend to
overlook other
significant risk factors
that may be more
appropriately assessed at
higher levels
assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain
the assessment. 44 Each step is divided into a set of tasks. For each task, supplemental guidance
provides additional information for organizations conducting risk assessments. Risk tables and
exemplary assessment scales are listed in appropriate tasks and cross-referenced to additional,
NIST SP 800-30 – The risk assessment process
more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the
risk assessment process and highlights the specific tasks for conducting the assessment.
Step 1: Prepare for Assessment

Derived from Organizational Risk Frame
Step 2: Conduct Assessment

Expanded Task View
Step 3: Communicate Results
Step 4: Maintain Assessment

Identify Threat Sources and Events
Identify Vulnerabilities and

Predisposing Conditions
Determine Likelihood of Occurrence
Determine Magnitude of Impact
Determine Risk
FIGURE 5: RISK ASSESSMENT PROCESS
http://pralab.diee.unica.it
43
The intent of the process description in Chapter Three is to provide a common expression of the essential elements of 92
an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other
Special Publication 800-30 Guide for Conducting Risk Assessments
________________________________________________________________________________________________
NIST SP 800-30 – The risk assessment process

CHAPTER THREE
THE PROCESS
CONDUCTING RISK ASSESSMENTS WITHIN ORGANIZATIONS
T his chapter describes the process of assessing information security risk including: (i) a
high-level overview of the risk assessment process; (ii) the activities necessary to prepare
for risk assessments; (iii) the activities necessary to conduct effective risk assessments;
(iv) the activities necessary to communicate the assessment results and share risk-related
Comparison with ISO 27005:2018
information; and (v) the activities necessary to maintain the results of risk assessments on an
ongoing basis. The risk assessment process 43 is composed of four steps: (i) prepare for the
assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintain
more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in the
Step 1: Prepare for Assessment


Expanded Task View
Identify Threat Sources and Events Step 4: Maintain Assessment

Determine Likelihood of Occurrence
Determine Risk
FIGURE 5: RISK ASSESSMENT PROCESS
43
The intent of the process description in Chapter Three is to provide a common expression of the essential elements of
an effective risk assessment. It is not intended to limit organizational flexibility in conducting those assessments. Other 93
procedures can be implemented if organizations choose to do so, consistent with the intent of the process description.
44
The four-step risk assessment process described in this publication is consistent with the general risk assessment
Step 1: preparing for the risk assessment
Tasks
1-1 Identify the purpose of the assessment
1-2 Identify the scope
1-3 Identify the assumptions and constraints associated with the
assessment
1-4 Identify the sources of information to be used as inputs to the
assessment
1-5 Identify the risk model and analytic approaches (i.e., assessment and
analysis approaches) to be employed
TASK 1-1: Identifying the purpose
– what information is it intended to produce?
– what decisions is it intended to support?
– how to capture and present information produced?
TASK 1-2: Identifying the scope

– organizational applicability: organization tiers and parts affected
– time frame supported: how long will the results be relevant? what
influences the need to update the assessment?
– architectural/technological considerations: specific technologies,
mission/businness segment architecure, organizational information
systems and its environment
TASK 1-3: Identifying assumptions and constraints
– threats sources: types of sources to be considered, identification process
– threat events: types of threat events to be considered, required level of
detail of their description
– vulnerabilities and predisposing conditions: types of vulnerabilities and
predisposing conditions to be considered, required level of detail of their
description
– likelihood determination process
– impacts to organizational operations (missions, functions, image, and
reputation) and assets, individuals, other organizations
– risk tolerance and uncertainty: what levels and types of risk are
acceptable? reasons for uncertainty about risk factors
– analytic approach: assessment approaches (quantitative, qualitative,
semi-quantitative) and analysis approaches (threat-oriented,
asset/impact-oriented, vulnerability-oriented)
TASK 1-4: Identifying the sources of information about threats,
vulnerabilities and impacts
– threats and vulnerabilities: internal sources (e.g., risk and
vulnerability assessment reports, incident reports, security logs,
trouble tickets, monitoring results) and external sources (e.g., cross-
community organizations like CERT, research and non-governmental
organizations), etc.
– predisposing conditions: descriptions of information systems,
environments of operation, shared services, common infrastructures,
enterprise architecture, etc.
– impact information: mission/business impact analyses, information
system component inventories, security categorizations, etc.
TASK 1-5: Identifying the risk model and analytic approach
– risk models include, or can be translated into, the risk factors: threat,
vulnerability, impact, likelihood, and predisposing condition
– assessment approach: quantitative, qualitative, semi-quantitative
– analysis approach: threat-oriented, asset/impact-oriented,
vulnerability-oriented
– definition, or selection of, existing assessment scales, annotated with
organizationally-meaningful examples for specific values
– defining algorithms (e.g., formulas, tables, rules) for combining risk
factors
ongoing basis. The risk assessment process 43 is composed of four steps: (i) prepare for the
assessment; (ii) conduct the assessment; (iii) communicate assessment results; and (iv) maintai
Step 2: conducting the risk assessment
more detailed information in the supporting appendices. Figure 5 illustrates the basic steps in t
Objective: to produce a list of information security risks that can be
prioritized by risk level and used to inform risk response decisions
– iterations among the tasks is necessary Step and expected
1: Prepare for Assessment
– task ordering can be modified

Expanded Task View
Step 4: Maintain Assessment

Identify Threat Sources and Events

tasks Determine Likelihood of Occurrence
Determine Risk
TASK 2-1: Identify and characterize threat sources of concern
– adversarial threats: capability, intent and targeting characteristics
– non-adversarial threats: range of effects
An exemplary threat source taxonomy that can be used to identify

and characterize threat sources (only the first two levels are shown here)
THREAT SOURCE
ADVERSARIAL ACCIDENTAL STRUCTURAL ENVIRONMENTAL
Individual User IT equipment Natural or man-made

disaster
Group Privileged user/ Environmental
Unusual natural event
Organization administrator controls
Nation-State Software Infrastructure
failure/outage
TASK 2-2: Identify threat events
– potential threat events that are relevant to the organization (depends
on organizational risk tolerance)
– threat sources that could initiate such events
Representative examples of adversarial and non-adversarial threat events
Perform reconnaissance Deliver/insert/install
Craft or create malicious capabilities, e.g.,
and gather information, known malware to internal
e.g., sniffing of exposed attack tools, e.g.,
information systems (virus
networks phishing attacks via email)
Exploit and compromise, e.g., Conduct an attack, Achieve results, e.g.,

poorly configured or e.g., Distributed obtain sensitive
unauthorized information
systems exposed to the Denial of Service information via
Internet (DDoS) exfiltration
Maintain a presence Coordinate a campaign, e.g.,

or set of capabilities, cyber attacks using external
(outsider), internal (insider),
e.g., obfuscate and supply chain (supplier)
adversary actions attack vectors
TASK 2-3: Identify and select relevant vulnerabilities and
predisposing conditions that affect the likelihood that threat
events of concern result in adverse impacts (including the
assessment of the severity of each vulnerability)
Taxonomy of predisposing conditions

INFORMATION-RELATED TECHNICAL OPERATIONAL / ENVIRONMENTAL
– Classified National Security Information – Architectural – Mobility
– Compartments - Compliance with ...
– Controlled Unclassified Information technical standards – Population with physical and/or
– Personally Identifiable Information ... logical access to components of the
– Special Access Programs – Functional information system, mission/business
– Agreement-Determined - Networked multiuser process, EA segment
- NOFORN - Single-user ...
- Proprietary ...
TASK 2-4: Determining the likelihood that threat events of
concern result in adverse impacts
depends on:
– characteristics of the threat sources that could initiate the events (for
adversarial threats, including capability, intent and targeting), or that
make the event occur (non-adversarial threats)
– vulnerabilities/predisposing conditions identified
– organizational susceptibility reflecting the safeguards/
countermeasures planned or implemented
The overall likelihood

Combining algorithms
of a threat event
depend on:
is a combination of:
• organizational attitudes
• likelihood of event
toward risk (overall risk
occurrence (e.g., due to
tolerance, uncertainty
human error or natural
tolerance)
disaster) or initiation (by an
• specific tolerances toward
adversary)
uncertainty in different risk
• likelihood of adverse
factors
impacts resulting from
• organizational weighting of
initiation or occurrence
risk factors
TASK 2-5: Determining the adverse impacts from threat events of
concern
Factors to consider:
– characteristics of the threat sources that could initiate the events
– vulnerabilities/predisposing conditions identified
– susceptibility reflecting the safeguards/countermeasures planned or
implemented to impede such events
Description of adverse impacts in terms of potential harm to:
– organizational operations
– assets
– individuals
– other organizations
May involve identification of assets or potential targets of threat sources
– information resources (e.g., information, data repositories, information
systems, applications, information technologies, communications links)
– people
– physical resources (e.g., buildings, power supplies)
TASK 2-6: Determining the risk to the organization from threat
events of concern
Risk level is a function of:
– impact resulting from the events
– likelihood of the events occurring
Risks at the same level or with similar scores can be further prioritized.
Information on uncertainties should be included, e.g., arising from:
– missing information
– subjective determinations
– assumptions made
Conducting the risk assessment: overview
cause exploit
Threat sources Threat events Vulnerabilities
adversarial
non-adversarial relevance severity
capability
impact effects
targeting
likelihood of likelihood of
initiation/occurrence adverse impact
likelihood impact
risk is always a combination

of likelihood and impact risk
The Risk Assessment Process
Qualitative and quantitative approaches
Risk assessment approaches
NIST SP 800-30 guidelines identify three kinds of risk assessment
approaches to evaluate each risk factor (likelihood, impact, etc.)
and risk itself
Quantitative Qualitative Semi-quantitative
• Use of numbers (e.g., • Non-numerical • Use of bins

probability values for categories or levels (e.g., 0–15, 16–35, 36–
likelihood) (e.g., low, medium, 70, 71–85, 86–100),
• Supports cost-benefit high) scales (e.g., 1–10),
analyses of alternative • Useful to support or representative
risk responses communicating risk numbers whose values
• Meanings and results to decision and meanings are not
proportionality are makers maintained in other
maintained inside and • Understanding contexts
outside the categories or levels • Expert judgment is
assessment context requires clear crucial in assigning
• Issues: reliability, examples values
significance, effort
required
According to NIST SP 800-30, the choice, adaptation or definition of a
specific risk assessment approach is part of the preparation step, and
is driven by different organizational considerations, e.g.:
– the quality and quantity of information available on threats,
vulnerabilities and impacts
– the specific orientation carrying the highest priority for organizations
– the availability of analysis tools emphasizing certain orientations
In particular, quantitative approaches are the most precise but also

most demanding ones in terms of information amount and quality,
effort, etc. (e.g., formal proabilistic models are required to rigorously
assess likelihood in terms of probability).
In the computer security field developing suitable quantitative
approaches is still an open issue, and qualitative approaches are
mostly used.
No specific guideline on quantitative approaches are given by
NIST SP 800-30 for information security.
Guidelines and examples are given instead for qualitative risk

assessment (and to a smaller extent for semi-quantitative
assessment) in terms of
– exemplar assessment scales for risk factors and risk level
– exemplar combining rules for risk factors
Qualitative risk assessment
Non-numerical categories or levels are used for each risk factor and for the
final risk level
– basic categories: low, medium, high
– more refined categories can be used, e.g.: very low, low, medium, high, very high
This kind of assessment of the risk level is often suitable enough for decision
makers, since it allows risk prioritization.
Main issues: how should one define the meaning of "low", "medium", etc.?
How can the risk level be assessed for a given threat as a combination of its
likelihood (e.g., low) and impact (e.g., high)? For instance:
– when should the likelihood of a given threat exploiting a specific vulnerability of a
given asset be considered "low", or "medium", etc.?
– when should the impact of such an event be considered "low", or "medium", etc.?
– when should the corresponding risk be considered "low", etc.?
Detailed guidelines are provided by NIST SP 800-30 on this matter.
Semi-quantitative risk assessment
Numerical values are used, e.g.:
– bins, e.g.: 0–15, 16–35, 36–70, 71–85, 86–100
– scales, e.g., 1, 2, 3, ..., 10
– other representative numbers
Such values do not have any "phisical" meaning in a specific unit

of measurement (i.e., they do not refer to monetary loss in some
currency, or to percentages, etc.): their choice should be guided
by expert judgement.
Some examples are given by NIST SP 800-30 in terms of a

possible match between qualitative and semi-quantitative
values.
Overview of the risk assessment process
cause exploit
Threat sources Threat events Vulnerabilities
adversarial
non-adversarial relevance severity
capability
impact effects
targeting
likelihood impact
How to assess the risk factors
and the risk level, i.e., each
element in the ovals? risk
NIST SP 800-30 guidelines on assessment scales
Exemplar assessment scales and combining rules are reported in

the following from NIST SP 800-30, for qualitative and semi-
quantitative risk assessment approaches.
Nota bene: examples provided by NIST SP 800-30 can be used as

a starting point with appropriate tailoring to adjust for any
organization-specific conditions.
Exemplary assessment scale
Threat sources
adversarial
capability
impact
targeting
Adversary capability
Threat sources
adversarial
capability
impact
targeting
http://pralab.diee.unica.it Adversary intent 117

Threat sources
adversarial
capability
impact
targeting
Adversary targeting
Threat sources
________________________________________________________________________________________________
non-adversarial
TABLE D-6: ASSESSMENT SCALE – RANGE OF EFFECTS FOR NON-ADVERSARIAL THREAT SOURCES
effects
Qualitative Semi-Quantitative Description
Values Values
The effects of the error, accident, or act of nature are sweeping, involving almost all of the cyber
Very High 96-100 10 resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments,
common infrastructure, or support services; Tier 1: organization/governance structure].
The effects of the error, accident, or act of nature are extensive, involving most of the cyber
resources of the [Tier 3: information systems; Tier 2: mission/business processes or EA segments,
High 80-95 8
common infrastructure, or support services; Tier 1: organization/governance structure], including
many critical resources.
The effects of the error, accident, or act of nature are wide-ranging, involving a significant portion
of the cyber resources of the [Tier 3: information systems; Tier 2: mission/business processes or
Moderate 21-79 5
EA segments, common infrastructure, or support services; Tier 1: organization/governance
structure], including some critical resources.
The effects of the error, accident, or act of nature are limited, involving some of the cyber
Low 5-20 2
common infrastructure, or support services; Tier 1: organization/governance structure], but
involving no critical resources.
The effects of the error, accident, or act of nature are minimal, involving few if any of the cyber
Very Low 0-4 0
common infrastructure, or support services; Tier 1: organization/governance structure], and
involving no critical resources.
http://pralab.diee.unica.it Range of effects of non-adversarial threat sources

TABLE D-7: TEMPLATE – IDENTIFICATION OF ADVERSARIAL THREAT SOURCES 119
Threat events
________________________________________________________________________________________________
relevance
TABLE E-4: RELEVANCE OF THREAT EVENTS
Value Description
Confirmed The threat event or TTP has been seen by the organization.
Expected The threat event or TTP has been seen by the organization’s peers or partners.
Anticipated The threat event or TTP has been reported by a trusted source.
Predicted The threat event or TTP has been predicted by a trusted source.
Possible The threat event or TTP has been described by a somewhat credible source.
N/A The threat event or TTP is not currently applicable. For example, a threat event or TTP could assume specific technologies,
architectures, or processes that are not present in the organization, mission/business process, EA segment, or information
system; or predisposing conditions that are not present (e.g., location in a flood plain). Alternately, if the organization is using
detailed or specific threat information, a threat event or TTP could be deemed inapplicable because information indicates that
no adversary is expected to initiate the threat event or use the TTP.
Relevance of threat events

TABLE E-5: TEMPLATE – IDENTIFICATION OF THREAT EVENTS
http://pralab.diee.unica.it Threat Event 120

Identifier Threat Source Relevance
Source of Information
Vulnerabilities
severity
Severity of vulnerabilities
overall
likelihood
Likelihood of an adversarial threat event initiation

________________________________________________________________________________________________
TABLE G-2: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT INITIATION (ADVERSARIAL)

Values Values
Very High 96-100 10 Adversary is almost certain to initiate the threat event.
High 80-95 8 Adversary
initiation/occurrenceis highly likely to initiate the threat event.
adverse impact
Moderate 21-79 5 Adversary is somewhat likely to initiate the treat event.
Low 5-20 2 Adversary is unlikely to initiate the threat event.
Very Low 0-4 0 overall
Adversary is highly unlikely to initiate the threat event.
likelihood
TABLE G-3: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT OCCURRENCE (NON-ADVERSARIAL)

Values Values
Very High 96-100 10 Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a year.
High 80-95 8 Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a year.
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times a
Moderate 21-79 5
year.
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but more
Low 5-20 2
than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every 10
Very Low 0-4 0
years.
Likelihood of a non-adversarial threat event occurrence

TABLE G-4: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT RESULTING IN ADVERSE IMPACTS
overall
likelihood
Llikelihood of threat event resulting in adverse impact

Likelihood combination
The overall likelihood of a threat event is a combination of
– likelihood of event occurrence (non-adversarial) or initiation
(adversarial)
– likelihood of adverse impacts resulting from initiation or occurrence
Examples of likelihood combining rules from NIST SP 800-30

– use the maximum of the two likelihood values
– use the minimum of the two likelihood values
– consider likelihood of initiation/occurrence only, assuming that
adverse impacts are certain
– consider likelihood of impact only, assuming that if adverse impacts
are possible, adversaries will initiate the events
– take a weighted average of the two likelihood values (only for
quantitative or semi-quantitative assessment approaches)
overall
likelihood
Overall likelihood of a threat event

impact
Impact of a threat event (cont.)

impact
Impact of a threat event (cont.) 128
risk
http://pralab.diee.unica.it Level of risk 129

Level of risk: the risk matrix
overall
impact
likelihood
risk
Level of risk as a combination of likelihood and impact of threat events
The risk matrix is often represented as a heat map for ease

of interpretation by decision makers
Level of impact
Likelihood
Very low Low Moderate High Very high
Very high Very low Low Moderate High Very high
High Very low Low Moderate High Very high
Moderate Very low Low Moderate Moderate High
Low Very low Low Low Low Moderate
Very low Very low Very low Very low Low Low
The risk matrix is often represented as a heat map for ease

of interpretation by decision makers
Level of impact
Likelihood
Very low Low Moderate High Very high
Very high Very low Low Moderate High Very high
High Very low Low Moderate High Very high
Moderate Very low Low Moderate Moderate High
Low Very low Low Low Low Moderate
Very low Very low Very low Very low Low Low (?)
"Black swan" events


03RM - Riskassessment 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

03RM - Riskassessment 1

Uploaded by

Copyright:

Available Formats

The Risk Assessment Process

ISO 31000:2018 Risk management – Guidelines ISO 27005:2018 Information security

NIST SP 800-39 Managing information security risk

General guidelines on the risk assessment step

Vulnerability risk level

Some guidelines from NIST SP 800-39 (ch. 3)

Purpose: to provide guidance for conducting

• Concepts and principles similar to and consistent with ISO

specifies the range of values of describes how combinations of

Example of a risk model including the previous key risk factors

• Use of numbers (e.g., • Non-numerical • Use of bins

Threat-oriented Asset/impact-oriented Vulnerability-oriented

1)Identification of threat 1)Identification of impacts 1)Identification of

Step 1: Prepare for Assessment

Step 2: Conduct Assessment

Step 4: Maintain Assessment

Identify Vulnerabilities and

Determine Likelihood of Occurrence

Determine Magnitude of Impact

FIGURE 5: RISK ASSESSMENT PROCESS

NIST SP 800-30 – The risk assessment process

Step 1: Prepare for Assessment

Step 2: Conduct Assessment

Identify Threat Sources and Events Step 4: Maintain Assessment

Identify Vulnerabilities and

Determine Likelihood of Occurrence

Determine Magnitude of Impact

FIGURE 5: RISK ASSESSMENT PROCESS

TASK 1-2: Identifying the scope

Step 2: Conduct Assessment

Step 3: Communicate Results

Step 4: Maintain Assessment

Identify Vulnerabilities and

tasks Determine Likelihood of Occurrence

Determine Magnitude of Impact

An exemplary threat source taxonomy that can be used to identify

ADVERSARIAL ACCIDENTAL STRUCTURAL ENVIRONMENTAL

Individual User IT equipment Natural or man-made

Exploit and compromise, e.g., Conduct an attack, Achieve results, e.g.,

Maintain a presence Coordinate a campaign, e.g.,

Taxonomy of predisposing conditions

The overall likelihood

risk is always a combination

• Use of numbers (e.g., • Non-numerical • Use of bins

In particular, quantitative approaches are the most precise but also

Guidelines and examples are given instead for qualitative risk

Such values do not have any "phisical" meaning in a specific unit

Some examples are given by NIST SP 800-30 in terms of a

Exemplar assessment scales and combining rules are reported in

Nota bene: examples provided by NIST SP 800-30 can be used as

http://pralab.diee.unica.it Adversary intent 117

http://pralab.diee.unica.it Range of effects of non-adversarial threat sources

Relevance of threat events

http://pralab.diee.unica.it Threat Event 120

Likelihood of an adversarial threat event initiation

TABLE G-2: ASSESSMENT SCALE – LIKELIHOOD OF THREAT EVENT INITIATION (ADVERSARIAL)

Exemplary assessment scale

Qualitative Semi-Quantitative Description

Likelihood of a non-adversarial threat event occurrence

Llikelihood of threat event resulting in adverse impact

Examples of likelihood combining rules from NIST SP 800-30

Overall likelihood of a threat event

Impact of a threat event (cont.)