An Introduction To
Information, Network and Internet Security
Appendix F - Risk ratings
In order to address issues, one needs to evaluate the risks to the organization
Management will try to rate these in some order and the way chosen to do this is a combination of cost to address and risk of the failure (calculated from the previous impact and likelihood settings). This is as below, but the level of risk calculated will be converted into a High, Medium or Low figure for this table
The 'Cost to Address' column is ranked H, M, and L, corresponding to High, Medium and Low. In this case, Low indicates less than 10 days effort; Medium indicates between 10 and 20 days dedicated effort and High indicates more than 20 days dedicated effort.
The 'Rank' column is derived from the 'Severity' and 'Cost to address' columns, and gives a priority for performing the work. The ranking is worked out from the following table.
|
|
Risk Severity |
||||
|
H |
M |
L |
|||
|
Cost to Address |
H |
3 |
6 |
9 |
|
M |
2 |
5 |
8 |
|
|
L |
1 |
4 |
7 |
|
A task that is 'H' for severity and 'L' to cost to address is given a 'Rank' of 1, and a task given 'L' for severity and 'H' to cost to address is given a 9. 1 is high.
The user should be able to amend the levels of cost to address for each client
The Security Practitioner
An Introduction to Information Security
