Security-risk assessment, reinvented

InfoWorld Security Adviser Roger A. Grimes offers a tool for more accurately ranking the threat levels at your organization

RELATED TOPICS
Page 2 of 2

Payload for successful attack (alternate version)

  • Low damage (low risk)
  • Medium damage (medium risk)
  • High damage (high risk)

Available mitigations

  • Patch available directly from vendor (lower risk)
  • Patch not available directly from vendor or third party (higher risk)
  • Patch available from third party (medium risk)
  • Easy-to-deploy nonpatch mitigation available (low risk)
  • Complex nonpatch mitigation available (higher risk)

Likelihood of exploitation being used against target environment

  • Actively being used (highest risk)
  • Likely to be used (medium to high risk)
  • Unlikely to be used (low risk)
  • Cannot be used (lowest risk)

Wow, that's a lot. See what I mean?

To make it a little easier to use in the real world, I created a spreadsheet that helps calculates a threat's overall risk, on a scale of 1 to 5, with 5 being the highest criticality. To use the file, fill in the relative ranking that each question's outcome has to your overall risk decision. (I weighted each of the nine main categories evenly at 11.1 percent.) Rank each component on the five-point scale; your category rankings and risk ratings per question should lead to a final value, located in the bottom-right cell.

In the spreadsheet, I included a sample worksheet based upon a recent Microsoft vulnerability announcement. My example calculated outcome, a 3.6, indicates that the vulnerability is medium to high risk in my environment. It should be patched relatively soon, as Microsoft also asserts.

No doubt I've done more than a little reinventing the wheel here, but this more in-depth analysis helped me to confirm what I previously felt in my gut. Hopefully, I've added at least one component for consideration to your already existing risk model.

I welcome feedback, observations, and corrections in the comments section below.

This story, "Security-risk assessment, reinvented," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

RELATED TOPICS
| 1 2 Page 2
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies