This part deals with the probabilty of risk treatment. In most risk management systems the common components are probability of risk occurence and risk impact. But in case a risk commences several actions will takes place immediately to attenuate the risk impact. These risk treatment actions will lower the probability of the full impact of the risk.
In this part several technical questions are asked either concerning the availability and/or the security (integrity/confidentiality) of a system. Thease questions are limited to technical IT systems but similar questions could also be developed for other categories of risks.
The questions have to be evaluated between yes and no but only a percentage for yes has to be inserted and the no percentage is calculated automatically. Values between 1 and 99 % can be inserted. 0/100 % is not possible to avoid mulitiplcation by zero.
What follows now is a calculation of the probability of all possible yes/no combinations based on the initial probability of risk occurence. It is not useful to consider all combinations. Therefore they result in four basic scenarios for the availability and/or the security (integrity/confidentiality) of a system. For the lower part of the calculation (integrity/confidentiality) I have introduced a correction factor to weight between three different scenarios if data get of of the company.
In the end you have a probability of all consolidated risk scenarios for the availability and/or the security (integrity/confidentiality) of a system.
The evaluation of the probability of risk occurence has now been finished. The next part will describe the assessment of the financial impact of a risk.
sharkunicorn 