## Risk Index

An organization can use a risk index to compare risks for potential threats. As illustrated in Table 10-1, a risk index is based on the following factors:

■ The probability of risk (in other words, the likelihood that compromise will occur)

■ The severity of loss in the event of compromise of an asset

■ The ability to control or manage the risk Table 10-1 Risk Index Calculation

 Risk Probability (P) (Value Between 1 and 3) Severity (S) (Value Between 1 and 3) Control (Value Between 1 and 3) Risk Index (P*S)/C (Value Between 1 and 9) 1 2

All risks are identified in the first column. For each risk, each of the three factors is assigned a value between 1 (lowest) and 3 (highest). For example, for severity, a risk with high severity produces the greatest impact on user groups or particular environments and may even affect an entire site. Moderate-severity risks critically affect user environments or have some effect on an entire site (and mitigating the attack is a reasonably attainable scenario). Low-severity risks have a minor impact on user environments (and typically can be easily mitigated).

The risk index is calculated by dividing the product of the probability and severity factors by the control factor, resulting in this formula:

Risk index = (probability factor * severity factor) / (control factor)

NOTE You might decide to include more levels (for example, using values between 1 and 5) to further differentiate risks.

Therefore, higher risk indices indicate risks that will have a more severe impact if they occur, that are more likely to occur, and that are less easy to control or manage. Risks with a higher risk index therefore require constant monitoring.

Stakeholders and subject matter experts should be involved in building the risk index matrix. The security policy should identify and outline a plan of activities to manage or control each risk and the actions to take if a security incident occurs. Table 10-2 shows sample risk index calculations.

 Probability Severity (S) Control Risk Index (P) (Value (Value (Value (P*S)/C (Value Between Between Between Between Risk 1 and 3) 1 and 3) 1 and 3) 1 and 9) Breach of confidentiality of l 3 2 1.5 customer database DDoS attack against an 2 2 1 4 e-commerce server sustained for more than 1 hour