Weight

To be able to prioritize what should be worked on, there is a need to describe what importance each threat has.

One threat might be at a low risk, but combined with others, it might have a catastrophic impact depending on what part of the organization that is being hit. This means that we need to put a weight to the actual risk, so the risk can be calculated on:

I have found that the National Cyber Incident Scoring System is providing this functionality:

The National Cyber Incident Scoring System (NCISS) is designed to provide a repeatable and consistent mechanism for estimating the risk of an incident in this context.

 The NCISS uses the following weighted arithmetic mean to arrive at a score between zero and 100:

Each category has a weight, and the response to each category has an associated score. The categories are:

• Functional Impact,
• Observed Activity,
• Location of Observed Activity,
• Actor Characterization,
• Information Impact,
• Recoverability,
• Cross-Sector Dependency, and
• Potential Impact.

Each response score is multiplied by the category weight, and the weighted scores are summed.

Calculate the minimum possible weighted score sum and subtract this number from the previously calculated sum of the weighted scores. Divide the result by the range: the difference between the maximum possible weighted score sum and the minimum possible weighted score sum. Finally, multiply the resulting fraction by 100 to produce the final result.

Weights and values are specific to an individual organization’s risk assessment process. Accompanying this document is a representative tool that demonstrates a reference implementation of the concepts outlined in this system.

One example of this is the Cyber+Incident+Severity+Schema.pdf (archives.gov)

In addition to this scoring system, the Secure Score https://security.microsoft.com/securescore can be uses as an arithmetic input as it is a curated list of risks that have been quantified.

Backlink

Forwardlink

#Tacticalsecurity