Once a risk is identified it should be scored and prioritized. The most basic risk formula is Impact * Likelihood. Calculations can either be an estimate for a score of 1 – 5 on both impact and probability for a maximum score of 25 or a more complex formula like the Common Vulnerability Scoring System (CVSS). Although the CVSS scoring system is meant for specific software vulnerabilities it can be used for other risks as well with some open-mindedness as to what each variable represents.
Consider the Risk Statement of: “If the data center is flooded, we will lose the production website and ~$30,000 of revenue per hour of downtime”. Where might you place this risk on the chart? First, we need to consider the likelihood of the data center being flooded. Is the data center in a flood zone? What is the annual rate of occurrence for a flood? Will a minor flood-flood the data center? Or would it only be flooded by a once in a 100-year flood? Each risk statement that you identify may have a different set of likelihood factors to consider, and thus the 5×5 chart may be more appropriate for your risk scoring. Next, consider the impact, the risk statement says that we will lose $30k but how big of an impact to the business is that? Are there other revenue sources? How does this compare to the overall top-line revenue for the company? If this is the only revenue source then it would easily be considered catastrophic. Let’s consider that this risk requires a 100-year flood event and is catastrophic. Let’s further consider that there hasn’t been a 100-year flood in over 90 years thus making the likelihood either unlikely or possible. You could argue for a higher likelihood but for demonstration sake, let’s say we agreed upon “unlikely”. Unlikely x Catastrophic yields a Medium risk. In this case its 5 x 2 so a total score of 10 out of a maximum of 25.
The CVSS Risk Formula is meant for software vulnerabilities but with a shoe-horn, you can make it fit your risks as well. Let’s take the data center flooding. Let’s score the same risk with the CVSS Base Score Calculator. First is the Attack Vector; where is the threat coming from. It could be over the network (internet), an adjacent network (partners), a Local computer attack, or a physical attack. Flooding fits squarely in the physical attack space. Attack Complexity should be low due to the lack of flood protections (assumed). Privileges required is none since you don’t have to log into a computer to flood the data center. No user interaction. The scope would be unchanged (“The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope” ). Since this flooding would not spill any secrets or corrupt any customer data we’ll mark confidentiality and integrity as none. But we’ll mark availability as High since it would be a complete loss of availability. The resulting score is a 4.6 out of 10, making this a medium risk.