Risk Variables

What are Risk Variables?

Abriska allows the risk methodology it uses to be tailored to an organisation's specific requirements, by allowing different risk variables to be used to assess threats. For example, impact, likelihood, probability or proximity. URM will initially set up the product to utilise its own risk assessment methodology which can then be tailored to reflect an organisation specific risk appetite or any existing model.

The explanation of the chosen methodology is available from the methodology tab on RA Setup.

Default Methodology

URM’s methodology is as follows:

Likelihood – “the chance of something happening”. This is made up of two factors:

1. Vulnerability – This is a measure of how much control an organisation has over a potential threat occurring. If an organisation has strong controls in place to mitigate a threat, then this score will be low (vulnerability). However, if there are potential weaknesses or improvements that could be made then this score could be higher (vulnerability).
   Within the 27001 module the score is calculated using the maturity score given to a control and the correlating percentage (To see how to edit this visit Maturity Model.).
2. Probability – This is a measure of any external factors that are outside of an organisations control. For example, a pandemic may be certain to happen within the next 2 years. The higher the probability, the more certain an event is to happen. The default method for calculating a likelihood score is to average these two variables.

Impact – “evaluated consequence of a particular outcome”. This is made up from only one factor:

1. Consequence – This is the direct impact inflicted on an organisation as a result of the threat occurring. For example, if a flood would result in destruction of assets then this impact would need to be quantified.

Back to RA Setup