Information Security Governance Papers
|
Paper Title
|
Risk Determination
|
|
The Abstract of The Paper
|
Once the ratings for likelihood and impact have been determined through appropriate analyses, the level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact. Table 10-1 shows how to calculate an overall risk rating using inputs from the threat likelihood and impact categories using a 3X3 matrix. Depending on the requirements of the system and the granularity of risk assessment desired, 4x4 and 5x5 matrices may be used instead. The latter can include a Very Low/Very High threat likelihood and a Very Low/Very High threat impact to generate a Very Low/Very High risk level. A Very High risk level may require possible system shutdown or stopping all information system integration and testing effort.
|
|
Web Link
|
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
|
Back To Information Security Governance Papers List