Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook
Academy home
Helps
Calculating risk level in Cyberday

Risk evaluation is the step in information security risk management, in which you put the risks in a prioritized order by evaluating their impact and likelihood, and thus figure out the risk level.

Risk automation settings

Risk management can be executed in Cyberday fully manually or by taking advantage of our automations.

You can find the settings for this in Settings -> Risk management: General settings.

If you want to take advantage of Cyberday's automated risk evaluation, enable the risk autopilot.

What is automated risk evaluation?

As you remember from the beginning of this article, the point of risk evaluation is to get the risks in a correctly prioritized order. This should take into account the nature of the threat, but also your current actions and the type of your business and its operating environment.

This is not a simple task, and the automated risk evaluation is in place to assist you.

If you're using automated risk evaluation, the following things will happen automatically:

  • Filling a starting evaluation for each risk (likelihood + impact values) according to expert opinion
  • Adjusting the risk level according to risk control factor

Cyberday will always automatically connect related control tasks to risks, but you can also adjust these connections manually from the risk card.

Details for calculating the risk level

Calculating the risk level is done by multiplying the likelihood x impact. According to your risk autopilot setting, this is then multiplied by the maturity factor of your current controls (0-1) (i.e. risk control factor).

Risk level with risk autopilot

If you keep risk autopilot enabled, the risk level is calculated by likelihood x impact x risk control factor.

Risk control factor is calculated in the following way and is always between 0-1:

  1. Find all control tasks connected to the risk (on block "Current risk control tasks")
  2. Create a risk control value for each risk control task according to its status
    • 0.02 when status is PENDING (Not done)
    • 0.05 when status is ACTIVE (Partly/Mostly done)
    • 0.10 when status is DONE (Fully done)
  3. Adjust the risk control value for each risk control task according to its priority
    • 2x when priority is CRITICAL
    • 1.5x when priority is HIGH
    • 1x when priority is MEDIUM
    • 0.5x when priority is LOW
  4. Minus the sum of all tasks' risk control values from 1 to get this risk's risk control factor calculated
    • e.g. 1 - ( done_low_priority_task + active_high_priority_task)
    • = 1 - (0.05 + 0.075)
    • = 0.875

In this case, if the risk's evaluated initial values for likelihood and impact are 2 and 3, the calculation would be:

  • Risk level = 2 * 3 * 0.875 = 5.25

Risk level without risk autopilot

If you decide to disable the risk autopilot, then you're filling the risk evaluations manually and the risk level is calculated directly by likelihood x impact.

Content

Share article