Assess the likelihood of risks happening
Example of a likelihood scale and how the business owner and stakeholders can use quantitative information in assessing each risk’s likelihood.
Working towards the initial risk ratings
Assume there are no controls currently in place when you and the stakeholders are assessing the likelihood of risks happening.
Again, workshops often work best for completing the assessments.
Quantitative information for likelihood assessments
If quantitative information is available about the frequency of a risk happening in the past, use it to determine the likelihood of the risk happening again.
If quantitative information about the risk frequency is not available, it does not mean that the likelihood of the risk happening is low — you and the stakeholders need to qualitatively assess the risks to an information system’s vulnerabilities.
Likelihood scale — qualitative ratings
Make sure that stakeholders, drawing from their skillsets, assess either, or both, the:
- skills and resources needed to exploit an information system’s vulnerability
- timeframe in which the risk could be expected to happen.
5 — Almost certain
Without any specialist skills or resources, it’s easy for the threat to exploit the information system’s vulnerability.
Or, the risk is expected to happen within 1 to 6 months.
4 — Highly probable
With minimal skills or resources, it’s highly likely for the threat to exploit the information system's vulnerability.
Or, the risk is expected to happen within 6 to 12 months.
3 — Possible
With moderate skills or resources, it’s possible for the threat to exploit the information system’s vulnerability.
Or, the risk is expected to occur within 12 to 36 months.
2 — Possible but unlikely
It requires significant skills and resources for the threat to exploit the information system’s vulnerability.
Or, the risk is expected to happen within 3 to 5 years.
1 — Almost never
It’s difficult for the threat to exploit the information system’s vulnerability.
Or, the risk is not expected to happen within 5 years.
Utility links and page information
Last updated