Security-risk assessment, reinvented

InfoWorld Security Adviser Roger A. Grimes offers a tool for more accurately ranking the threat levels at your organization

Page 2 of 2

Payload for successful attack (alternate version)

  • Low damage (low risk)
  • Medium damage (medium risk)
  • High damage (high risk)

Available mitigations

  • Patch available directly from vendor (lower risk)
  • Patch not available directly from vendor or third party (higher risk)
  • Patch available from third party (medium risk)
  • Easy-to-deploy nonpatch mitigation available (low risk)
  • Complex nonpatch mitigation available (higher risk)

Likelihood of exploitation being used against target environment

  • Actively being used (highest risk)
  • Likely to be used (medium to high risk)
  • Unlikely to be used (low risk)
  • Cannot be used (lowest risk)

Wow, that's a lot. See what I mean?

To make it a little easier to use in the real world, I created a spreadsheet that helps calculates a threat's overall risk, on a scale of 1 to 5, with 5 being the highest criticality. To use the file, fill in the relative ranking that each question's outcome has to your overall risk decision. (I weighted each of the nine main categories evenly at 11.1 percent.) Rank each component on the five-point scale; your category rankings and risk ratings per question should lead to a final value, located in the bottom-right cell.

In the spreadsheet, I included a sample worksheet based upon a recent Microsoft vulnerability announcement. My example calculated outcome, a 3.6, indicates that the vulnerability is medium to high risk in my environment. It should be patched relatively soon, as Microsoft also asserts.

No doubt I've done more than a little reinventing the wheel here, but this more in-depth analysis helped me to confirm what I previously felt in my gut. Hopefully, I've added at least one component for consideration to your already existing risk model.

I welcome feedback, observations, and corrections in the comments section below.

This story, "Security-risk assessment, reinvented," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

| 1 2 Page 2
Cybersecurity market research: Top 15 statistics for 2017