Some people seem to be making life difficult for themselves with risk models such as “Impact * Probability” and as such have lead themselves into all manner of imponderable … since this model hides essential details.
I discuss the CLASSICAL risk equation in my blog
There is a good reason for, no make that MANY good reasons, for separating out the threat and the vulnerability and asset rather that just using “impact”.
Any asset is going to be affected by many
Any control will almost certainly address many assets and in all likelihood deal with many threats and vulnerabilities.
Any reasonable approach will try to optimise this: make the controls more effective and efficient by having them cover as many assets, threats or vulnerabilities as possible.
As such, the CLASSICAL risk equation can then be viewed as addressing residual risk – the probability AFTER applying the controls. Continue reading Risk Models that hide important information