Home > Risk Likelihood, Risk Impact, and Risk Level Definitions

Risk Likelihood, Risk Impact, and Risk Level Definitions

DRAFT

Version 1/FINAL: 1/6/12

Risk Likelihood, Risk Impact, and Risk Level Definitions – NIST SP 800-30

This information was taken directly from the NIST SP 800-30

Level

Likelihood Definitions

High

(1.0)

The threat source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.

Moderate

(.5)

The threat source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.

Low

(.1)

The threat source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.

Impact Analysis: The adverse impact of a security event in terms of loss or degradation of any, or a combination of any, of the following three security goals, resulting from successful exploitation of a vulnerability:

  • Loss of Confidentiality – Impact of unauthorized disclosure of confidential information (ex. Privacy Act).� Unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence, embarrassment, or legal action against the organization.
  • Loss of Integrity – Impact if system or data integrity is compromised by intentional or accidental changes to the data or system.
  • Loss of Availability – Impact to system functionality and operational effectiveness should systems be unavailable to end users.

Magnitude of Impact

Impact Definitions

High

(100)

Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.

Moderate

(50)

Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm or impeded an organization’s mission, reputation, or interest; or (3) may result in human injury.

Low

(10)

Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources; (2) may noticeably affect an organization’s mission, reputation, or interest.

Risk Level Determination: These levels represent the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised:

  • The likelihood of a given threat source’s attempting to exercise a given vulnerability.
  • The magnitude of the impact should a threat-source successfully exercise the vulnerability.
  • The adequacy of planned or existing security controls for reducing or eliminating risk.

Magnitude of Impact

Risk Level Definitions

High

(>50-100)

There is a strong need for corrective measures.� An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.

Moderate

(>10-50)

Corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.

Low

(1-10)

The system’s Authorizing Official must determine whether corrective actions are still required or decide to accept the risk.


Risk Calculation Worksheet

The following NIST SP 800-30 calculation worksheet provides instructions for determining the overall risk level for this report. History of past occurrences can help determine the threat likelihood level and impact level can take into account, financial impact, employee safety, and many other factors.

Risk Scale and Necessary Actions

The following Risk Scale and Necessary Actions table presents actions that NIST SP 800-30 recommends senior management (the mission owners) must take for each risk level. Your Organization should determine if this, or another methodology, will be used.

Risk Level

Risk Description and Necessary Actions

High

If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.

Medium

If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.

Low

If an observation is described as low risk, the system’s Designated Approving Authority (DAA) must determine whether corrective actions are still required or decide to accept the risk.

� Copyright 2012 HIPAA COW.� Page 1 of 2.

Set Home | Add to Favorites

All Rights Reserved Powered by Free Document Search and Download

Copyright © 2011
This site does not host pdf,doc,ppt,xls,rtf,txt files all document are the property of their respective owners. complaint#downhi.com
TOP