People keep asking questions like
If the risk equation I use is Impact * Probability, when it comes to calculating the residual risk value do I still need to consider the impact of Loss of confidentiality, integrity and availability of the asset afterwards ? My understanding us that the probability value may decrease after applying some controls to mitigate the risk,Â but how does does the impact change?
Personally I don’t like the use of the generalization “Impact“.Â Â It hides details and it hides seeing where the control is being applied.Â Â Assets are often affected by more than one threat or more than one vulnerability.Â You really need to recalculate the whole thing over again after the controls have been applied – don’t try for short cuts.
I’d further suggest looking at
I discuss this kind of over-simplification at
- Planning means planning for success and for not-success (herdingcats.typepad.com)