Not logged in - Login
View History

Risk Variables

What are Risk Variables?

Abriska allows the risk methodology it uses to be tailored to an organisation's specific requirements, by allowing different risk variables to be used to assess threats. For example, impact, likelihood, probability or proximity. URM will initially set up the product to utilise its own risk assessment methodology which can then be tailored to reflect an organisation specific risk appetite or any existing model.

The explanation of the chosen methodology is available from the methodology tab on RA Setup.

Default Methodology

URM’s methodology is as follows:

Likelihood – “the chance of something happening”. This is made up of two factors:

  1. Vulnerability – Measured on a scale of 1 - 5, (1 is low vulnerability, 5 is high vulnerability) this is a measure of how much control an organisation has over a potential threat occurring. If an organisation has strong controls in place to mitigate a threat, then this score will be low (vulnerability). However, if there are potential weaknesses or improvements that could be made then this score could be higher (vulnerability).
    Within the 27001 module the score is calculated using the maturity score given to a control and the correlating percentage (To see how to edit this visit Maturity Model).
  2. Probability – This is a measure of any external factors that are outside of an organisations control. For example, a pandemic may be certain to happen within the next 2 years. The higher the probability, the more certain an event is to happen. The default method for calculating a likelihood score is to average these two variables.

    Likelihood Calculation

Impact – “evaluated consequence of a particular outcome”. This is made up from only one factor:

  1. Consequence – This is the direct impact inflicted on an organisation as a result of the threat occurring. For example, if a flood would result in destruction of assets then this impact would need to be quantified.

How is Vulnerability Calculated?

Vulnerability is based on the effectiveness of the controls in place to mitigate a threat. If the control has a high maturity (0-Non existent - 5-Optimised), the vulnerability will be low, if the control has a low maturity the vulnerability to a threat will be high.

Control Maturity is translated in to its effectiveness (see Maturity Model) and this is then calculated into vulnerability for the risk calculation (Risk = Likelihood x Impact).
Control vulnerability (control score 0-5 = % effectiveness = vulnerability 1-5)


Example a) 1-Initial/Ad Hoc = 10% effective
10% off the range between 1 and 5 is
(5-1) = 4
4 * 10% = 0.4

Example b) 3-Defined Process = 50% effective
4*50% = 2
5-2 = 3

Control effectivness and vulnerability



URM can assist an organisation to define a suitable risk assessment methodology.


Back to RA Setup