sharkunicorn

The first part within the risk machine is the determination of the probability of risk occurence:

For the predefined loss-incurring primary event “System is compromised” ten qualitative questions affecting the probability of risk occurrence have to be answered by the technical experts. For all questions you can choose predefined values from a drop down list. For example for the first question “Amount of concerned assets (server, router, clients …)” you can select the values “1, up to 10, up to 100, up to 1.000, from 1.001”. Each qualitative assessment results in a quantitative assessment. The quantitative values of each question will sum up to a total that lies within an intervall that will be related to probabilities. The relations are the following:

Qualitative Assessment:                   Probability:

2-9                                                          2,5 %

10-18                                                      12,5 %

19-27                                                      35 %

28-37                                                      75 %

Of course this model could be more differentiated.

After the determination of the probability of the primary event you have to estimate if this primary event is affecting either the availability and/or the security (integrity / confidentiality) of your system (values between 0 and 100 %). This results in the probability for both loss-incurring secondary events which we will further process in the next part “Probability of risk treatment”.