Risk Analysis

This diagram was created to help explain the relationship between the various components of an information risk assessment using the basic formula for risk. Audiences that are new to Information Security and/or Risk Management may need to have some of the basic terms explained.

Information Secuirty Risk Analysis 

The Basic Statement

Likelihood X Impact = Risk

The risk statement is derived by following the Blue arrows:

The Likelihood  That  Threats Will exploit  Vulnerabilities  To attack  Targets  and compromise  Information (confidentiality and/or integrity and/or availability)  causing  Impact = Risk. 

Green arrows present the following control statements:

Risk can be  Transferred to External  reducing  Impact = reduced Risk

Risk can be  Transferred to External  reducing  Vulnerabilities  Reducing  Likelihood = reduced Risk

Risk can be  Accepted by Executive

Risk can be  Mitigated with  Controls  reducing  Vulnerabilities  Reducing  Likelihood = reduced Risk

Ideally there should be a fifth control statement which I could not fit into the diagram. Risk cannot be  ignored.

Contact us if you have questions, find this useful, or you make improvements to it.

Download this file in PDF or Powerpoint.

This diagram is shared here for non-commercial use under Creative Commons Attribution-Noncommercial-Share Alike 2.5 Canada (http://creativecommons.org/licenses/by-nc-sa/2.5/ca/).


Article ID: 1261
Tue 5/18/21 2:06 PM
Fri 4/14/23 11:30 AM