Skip to main content

How is inherent risk calculated?

James Rabe
  • Updated

Introduction

This article explores the three primaries types of risk calculated in IriusRisk and explores how inherent risk is calculated. 

Risk types - Inherent, Current, and Projected

Each threat in IriusRisk has three different risk values all of them with a maximum value of 100 and a minimum value of 0.

Inherent risk: This is the "starter" risk the one that represents the risk natural to affected assets and it's exposure. Inherent risk represents the complete risk with zero mitigations being applied to this given scenario.  

Formula 1 - Inherent Risk = impact x likelihood (NOTE: the formula for inherent risk is independent of currently in place mitigations or planned mitigations. It is based solely on the threats, assets, and weaknesses associated within). 

 

Current risk: This is the current risk value which is equal to inherent risk minus currently implemented mitigations or countermeasures.

Formula 2 - Current Risk = Inherent Risk - implemented mitigation

 

Projected risk: This is our goal risk the one we will have once we have already implemented all required countermeasures. It's calculated by subtracting from the inherent risk the risk reduction produced for all implemented and required countermeasures. It's exactly like calculate the current risk assuming that all required countermeasures are already implemented.

Formula 3 - Projected Risk = Current risk - planned mitigations (countermeasures in a required status)

 

The qualitative output of these three variables can be seen within the threats interface within IriusRisk. 

2022-08-22_11_18_14-AWS_Environment___IriusRisk.png

Quantitative values are translated into qualitative outputs of very low (0 - 20), low (>20 - 40), medium (>40 - 60) , high (>60 - 80), and critical (>80).

 

Calculating Inherent Risk

Calculating Impact - 

Impact is calculated by the threats technical impact with a final output ranging from 0 - 100.

Formula 1a - Impact = (Threat Technical Impact x Business impact weighting x Weakness Impact)/100 + (Asset Value x Asset Weighting)

Impacts are related to confidentiality, impact, and availability within a given threat. These items are set by the rules engine (configured by the security library content or by the end user on the threat model). These values are very low (0-20), low (20-40), medium (40-60), high (60-80), very high (80-100).

2022-08-22_15_27_42-AWS_Environment___IriusRisk.png

By default the business impact weighting is set to 1. 

2022-08-22_15_31_09-Risk_calculation___IriusRisk.png

Threat Weakness values are derived from the weakness added to each individual threat. 

2022-08-22_15_28_29-AWS_Environment___IriusRisk.png

If a threat has multiple weaknesses, the inherent calculation will use the greatest weakness. 

NOTE - calculating the impact value will require determining the high-water mark of each threat impact type (confidentiality or integrity or availability) combination with the greatest weakness with the greatest average asset. 

For Example:

  • (Threat Impact (Confidentiality) x weighting (1) x Weakness)/100 + (Asset Confidentiality x Asset weighting)
  • (Threat Impact (Integrity x weighting (1) x Weakness)/100 + (Asset Integrity x Asset weighting)
  • (Threat Impact (Availability x weighting (1) x Weakness)/100 + (Asset Impact x Asset weighting)

This would need to be repeated for every Threat/Asset combination and then the highest combination would be used to in the final impact formula for the threat impact. 

Formula 1b - Asset Value = highest value of the average of asset values pertaining to a given threat

Assets are assigned per component and since multiple assets can be assigned to any given component, the asset that has the highest averaged score of confidentiality, integrity, and availability for a given asset. This high-water mark  is used to ensure that a lower asset class does not accidentally minimize the inherent risk of a threat that might pertain to a higher impacting or more sensitive asset on the same component. 

If a given component has three different assets assigned with the following security classifications, the final calculation would proceed as follows: 

2022-08-22_15_34_12-Security_classifications___IriusRisk.png

2022-08-22_15_35_24-Assets___IriusRisk.png

All three assets were assigned on a component with several potential threats and weaknesses: 

Asset Confidentiality Integrity Availability Average
Asset 1 - Advertising Information 0 20 0 6.671
Asset 2 - Customer Data 100 100 20 73.3
Asset 3 - Protected Health Information 100 100 20 73.3

Using the high-water mark, we would use the highest average asset score (in this example, we have a two way tie of 73.3). 

Assets also have a default weighting of 1 in the impact formula. 

2022-08-22_15_31_09-Risk_calculation___IriusRisk2.png

The impact function must be a value from 0 - 100 so any value over 100 must be adjusted by using the following equation. 

Adjustment Formula 1= (value) x 100 / maximum possible value

This formula effectively expresses our raw formula as a percentage of its maximum value.

The maximum value  for formula 1a is (Threat Technical Impact (100) x Business impact weighting (1) x Weakness Impact (100))/100 + (Asset Value(100) x Asset Weighting (1) = 200. As default values are changed this value will be adjusted. 

 

Calculating Likelihood - 

The second half of calculating the inherent risk takes us to the likelihood portion of this equation. 

Formula 1c - Likelihood = exposure rating x exposure rating default + ease of exploitation x ease of exploitation weighting

The ease of exploitation rating is taken from the individual threat has five possible values (very low, low, medium, high, and very high which are segmented into 20 unit intervals from 0 - 100). 

2022-08-22_16_00_10-AWS_Environment___IriusRisk.png

Formula 1d - exposure rating = 100 - Trust Zone Rating

Using the trust zone that is closest to the component/asset/threat that we are calculating the inherent risk score for, the trust zone rating is leverage to calculate the exposure rating. 

2022-08-22_15_58_03-Trust_zones___IriusRisk.png

The likelihood function must be a value from 0 - 100 so any value over 100 must be adjusted by using the following previously mention adjustment formula

Adjustment Formula 1= (value) x 100 / maximum possible value

This formula effectively expresses our raw formula as a percentage of its maximum value.

The maximum value  for Formula 1c - Likelihood = exposure rating (100) x exposure rating default (1)+ ease of exploitation (100) x ease of exploitation weighting (1) is 200. As default values are changed this value will be adjusted. 

 

Calculating the final inherent risk value - 

Taking the impact value and the likelihood value described above into formula 1 can result in a value outside of the range of 0-100 required for reporting this value. This value must adjusted using the following formula. 

Adjustment formula 2 - adjusted value = square root (raw value)

This final adjustment will produce a value from 0 - 100. 

 

EXAMPLE:

Component 1

 -->Trust zone (Trust rate: 20)

→Asset 1 (confidentiality: 100, integrity: 20, availability:  30)

→Asset 2  (confidentiality: 50, integrity: 70, availability: 90)

→Threat1 (ease of exploitation: 70, confidentiality: 100, integrity: 80, availability:  70)

    →Weakness 1 (impact: 80)

        →Control 1 (mitigation: 80, state: implemented, test: passed)

        →Control 2 (mitigation: 20, state: required, test: not tested)

        →Control 3 (mitigation: 30, state: recommended, test: not tested)

 

EXAMPLE CALCULATIONS: 

Since we have 2 assets each of them with 2 security classifications we need to calculate 6 values using formula 1a. 

Asset Classification value Business impact default value threats classification value

weakness

value

 Default asset weightings asset classification value result
Asset1 Confidentiality

1

 100 80 1 100 180
Asset1 Integrity 1 80 80 1 20 84
Asset1 Availability 1 70 80 1 30 86
Asset2 Confidentiality 1 100 80 1 50 130
Asset2 Integrity 1 80 80 1 70 134
Asset2 Availability 1 70 80 1 90 146

The highest value will then be adjusted using adjustment formula 1 to a value from 0 - 100 and will be used in the final impact formula as the high-water mark. 

Calculating the adjusted value using adjustment formula 1 = (value (180)) x 100 / maximum possible value (200) = 90

 

Calculating the Asset Value using formula 1b.

Asset Confidentiality Integrity Availability Avg
Asset1 100 20 30 50
Asset2 50 70 90 70

 

The final impact is then expressed by formula 1a - Impact = (Threat Technical Impact (90) x Business impact weighting (1)  x Weakness Impact(80))/100 + (Asset Value(70) x Asset Weighting(1)) = 142

Calculating the adjusted value using adjustment formula 1 = (value (142)) x 100 / maximum possible value (200) = 71

 

Next, calculate likelihood which is expressed by formulas 1c and 1d respectively. 

Formula 1d - exposure rating = 100 - Trust Zone Rating (20) = 80

Formula 1c - Likelihood = exposure rating(80) x exposure rating default(1) + ease of exploitation(70) x ease of exploitation weighting(1) = 150

Calculating the adjusted value using adjustment formula 1 = (value (150)) x 100 / maximum possible value (200) = 75

 

And finally inherent risk using formula 1 - Inherent Risk = impact(71) x likelihood(75) = 5,325 and then applying adjustment formula 2 - adjusted value = square root (raw value(5,325)= 72.97 which is equivalent to a "HIGH" inherent risk. 

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk