How to Rate Impact for Risk Assessments

Risk Assessments (RA) are used to assess the probabilities and consequences of risk events if they were to be realized. The RA output is intended to help determine risk response actions based on the level of risk posed by the threat and risk appetite.

Risk Scores are created by multiplying the Likelihood and Impact. The scores are then rated using the Risk Rating Scale.

Likelihood x Impact = Risk Rating

Risk rating scale

Impact Determination

Risk Assessments help determine the potential consequences of a threat exploiting a vulnerability.

If the threat (column D of the Risk Assessment worksheet) were to be realized, what is the Impact?

Risk Assessment Worksheet Example:

Risk Assessment Worksheet Example

Impact Categories

By evaluating impact in various categories, we ensure a comprehensive assessment of the potential consequences of a threat. Rating impact in various categories provides decision-makers with a more nuanced understanding of the potential consequences.

Impact is rated for 6 risk categories:

  • WSU Mission
  • Productivity
  • Response
  • Replacement
  • Fines/Legal
  • Reputation

Each category takes into consideration the potential impact in terms of loss or degradation of any, or a combination of any, of the following three security goals:

  • Loss of Confidentiality – Impact of unauthorized disclosure of sensitive information.
  • Loss of Integrity – Impact if system or data has been modified by unauthorized changes to the data or system.
  • Loss of Availability – Impact on system availability, functionality, and operational effectiveness.

Things to Consider

  • What types of data or information could be compromised or lost?
  • Is there any intellectual property or sensitive business information at risk?

These charts provide the Impact Rating Definitions to help determine the level of impact.

These charts provide the Impact Rating Definitions
Productivity Impact Classification Table

Use the following questions to guide the discussion.

Mission Impact:

  • How will the threat impact the organization’s daily operations?
  • Will there be a loss of productivity or disruption to critical processes?
  • What is the estimated downtime or recovery time required?

Productivity

  • What is the duration of time productivity will be lost?
  • How many users will be impacted by the loss in productivity?

Response

  • How much effort will be needed to recover from the incident?
  • How many people will need to be involved in the response effort?
  • How many hours will it take to respond?

Replacement

  • What is the potential financial loss of assets or cost associated with the threat?
  • How will the organization’s revenue be affected?
  • What is the magnitude of information loss?

Fines/Legal

  • Are there any legal or regulatory obligations that could be violated because of the threat?
  • What are the potential legal consequences, such as lawsuits, penalties, or non-compliance fines?
  • Are there any contractual obligations or service-level agreements that could be impacted?

Reputation

  • How could the incident impact WSU’s reputation?
  • If the threat were to be realized, would it be newsworthy?
  • Could it impact enrollment or endowments?