31 Jul Risk Scoring Methodology
What is Risk Scoring?
Risk scoring is the process of attaining a calculated score that tells you how severe a risk is, based off of several factors. Without a standard model for risk scoring, risk and security teams would continually struggle to communicate internally about how to allocate resources appropriately in order to minimize costs and impact to business.
When considering risk scoring, there exist two primary types of data: quantitative or qualitative. These two types can simply be broken down into whether the data is numerical, or it is not. Numerical data is quantitative, and qualitative data is more explanatory. While that’s a straightforward overview, let’s take a look at some specifics.
Quantitative analysis is really about assigning monetary values to risk components so you’re working with all numerical figures. In quantitative risk assessments, you use available data to reach a numerical value that can then be used to determine probability of a risk event and how much money is at stake.
Typical Formula: Annual Loss Expectancy – Single Loss expectancy * Annual Rate of Occurrence = Financial risk per year for that asset.
This is your risk. This can be compared to other assets to prioritize mitigation tasks and to determine ROI for controls. Clearly, you do not want your annual cost of the control to exceed the Annual Loss Expectancy of the asset.
To help you with your risk formula, use these:
Single Loss Expectancy = (Asset Value * Exposure %)
(If the asset is compromised, how much $ will you lose?)
Annual Rate of Occurrence (ARO) – How often do you expect the asset be compromised each year?
(It is often a decimal. Once every 10 years equals .1 for ARO)
Qualitative analysis gives you more freedom in your rating and typically utilizes a Risk Assessment Matrix (RAM). It uses a more subjective assessment of risk occurrence likelihood (called probability) against the possible severity of the risk outcome (called impact) to establish the overall severity of a risk.
When creating your grading scales, you’ll have to consider your assessment. In one case, a high risk rating could mean a risk is likely to occur in a month, where as in another instance it could mean the risk is likely to occur in a year. The scales are flexible and encompass many considerations that impact risk scores.
Defining scales is typically seen as the most difficult aspect of utilizing a qualitative methodology.
The risk scoring that is employed by RiskWatch software is best described as semi-quantitative. It’s based on the philosophies of Fred A. Manuele, presented in his book “Advanced Safety Management.”
RiskWatch software uses 4 factors when calculating a risk or compliance score. The definition of these factors can vary based on the product being used.
For example, SecureWatch, which focuses on physical security, employs these four factors:
- Threat Level (related to likelihood, based on the level of crime in the area, environmental volatility, history of terrorism incidents in the region, etc.)
- Criticality (importance of the facility to the organization as a whole)
- Gap Score (level of vulnerability based on the lack of security controls)
- Consequence (related to Impact, based on the potential losses – monetary, reputational, regulatory sanctions, etc.)
Formula: (Threat Level + Criticality + Gap Score) x Consequence
Subjectivity in Risk Scoring
There a wide array of opinions on this topic, but RiskWatch is of the belief that there is no way to completely eliminate subjectivity in risk scoring. Yes, even with a fully quantitative methodology. Despite looking at historical data, there is still subjective input on the numerical value assigned to certain events or risk factors.
As Manuele states, “There are no universally applied rules to assign value to elements to be scored. Value numbers in all numerical risk scoring systems are judgmental and reflect the experience and views of those who create a system.”
How do work to eliminate subjective risk scores? We allow you to set up universal scoring across departments, for example, determining up to $$$ of loss as consequence, etc. Between departments, importance would be determined at the executive level, limiting subjective influence to a single source or group that allows consistent scores and comparisons.
The main benefit to our risk score methodology is the simplicity. You can gather accurate data that is easy to understand and work with. Most executives want a simple understanding of their organization and how resources are being distributed, with clear explanation.