This diagram was created to help explain the relationship between the various components of an information risk assessment using the basic formula for risk. Audiences that are new to Information Security and/or Risk Management may need to have some of the basic terms explained.
The Basic Statement
Likelihood X Impact = Risk
The risk statement is derived by following the Blue arrows:
The Likelihood → That → Threats Will exploit → Vulnerabilities → To attack → Targets → and compromise → Information (confidentiality and/or integrity and/or availability) → causing → Impact = Risk.
Green arrows present the following control statements:
Risk can be → Transferred to External → reducing → Impact = reduced Risk
Risk can be → Transferred to External → reducing → Vulnerabilities → Reducing → Likelihood = reduced Risk
Risk can be → Accepted by Executive
Risk can be → Mitigated with → Controls → reducing → Vulnerabilities → Reducing → Likelihood = reduced Risk
Ideally there should be a fifth control statement which I could not fit into the diagram. Risk cannot be → ignored.
Contact us if you have questions, find this useful, or you make improvements to it.
This diagram is shared here for non-commercial use under Creative Commons Attribution-Noncommercial-Share Alike 2.5 Canada (http://creativecommons.org/licenses/by-nc-sa/2.5/ca/).