Quantitative information for likelihood assessments

If quantitative information is available about the frequency of a risk happening in the past, use it to determine the likelihood of the risk happening again.

If quantitative information about the risk frequency is not available, it does not mean that the likelihood of the risk happening is low — you and the stakeholders need to qualitatively assess the risks to an information system’s vulnerabilities.

Likelihood scale — qualitative ratings

Make sure that stakeholders, drawing from their skillsets, assess either, or both, the:

• skills and resources needed to exploit an information system’s vulnerability
• timeframe in which the risk could be expected to happen.

5 — Almost certain

Without any specialist skills or resources, it’s easy for the threat to exploit the information system’s vulnerability.

Or, the risk is expected to happen within 1 to 6 months.

4 — Highly probable

With minimal skills or resources, it’s highly likely for the threat to exploit the information system's vulnerability.

Or, the risk is expected to happen within 6 to 12 months.

3 — Possible

With moderate skills or resources, it’s possible for the threat to exploit the information system’s vulnerability.

Or, the risk is expected to occur within 12 to 36 months.

2 — Possible but unlikely

It requires significant skills and resources for the threat to exploit the information system’s vulnerability.

Or, the risk is expected to happen within 3 to 5 years.

1 — Almost never

It’s difficult for the threat to exploit the information system’s vulnerability.

Or, the risk is not expected to happen within 5 years.