1. Introduction
    1. System Requirements
    2. Setup and Installation
  2. Getting Started
    1. Creating a Database
    2. Email Configuration
    3. Web Module Setup
    4. Web Module Update
  3. Navigating RM Studio
    1. Main Menu
      1. Save Function
      2. Import External Data
        1. Import Assets
      3. Clear User Cache
      4. Security
      5. Properties
      6. Languages
      7. Registration
      8. User Manual
      9. Manage Checkouts
      10. About
      11. Application Style
    2. Navigation Tree
    3. Tabs
    4. The Grid
    5. Context & Flow
  4. Common Entities
    1. Business Entities
      1. Asset Details - Basic Information tab
      2. Asset Details - Risks tab
      3. Asset Details - Categories tab
      4. Asset Details - Business Entities tab
    2. Contacts
    3. Teams
    4. Assets
    5. Asset Categories
    6. Asset Attributes
    7. Threats
    8. Standards/Controls
      1. How to: Standards, Regulations, Controls
      2. Standards Implementation Comparison
    9. Documents
  5. Gap Analysis
    1. How to: Gap Analysis
    2. Reporting
  6. Risk Assessment
    1. How to: Risk Assessment
      1. Risk Assessment Overview
      2. Adding Assets
      3. Adding Risks
      4. Evaluation Values
      5. Evaluating Risks
      6. Various Definitions
      7. Risk Assessment Reporting
    2. Risk Owner Tasks
    3. Risk Profile
  7. Web Module
    1. Dashboard
    2. My Tasks
    3. Reports
    4. Standards/Regulations
    5. Documents
    6. Incidents
    7. Risk Owner Web Solution
  8. Control Assessment
    1. Control Assessment Templates
    2. Control Assessment
    3. Reports - Control Assessment
  9. Risk Treatment
    1. How to: Risk Treatment
      1. Risk Treatment Templates
      2. Risk Criteria
      3. Asset Level
      4. Controls Tab
      5. Scheduling a Future Control
      6. Future Controls Tab
      7. Overview
      8. Reload Assets, Threats and Controls
    2. Risk Treatment Reports
  10. STPA
    1. STPA Projects
    2. Models and Diagrams
      1. How to: Create CS Models
      2. How to: Create CS Diagram
        1. Diagram Elements
        2. Models Progress Check
    3. Analyses
      1. How to: Define Purpose of Analysis
      2. Losses
      3. Hazards
      4. Relationship
      5. Constraints
      6. How to: Identify UCAs
      7. How to: Identify Loss Scenarios
        1. Loss Scenario Progress Check
    4. Reporting
    5. Global Properties
  11. Business Continuity Management Module
    1. Organization
      1. New Organization
      2. Stakeholders
      3. Resources/Processes
        1. Impact Analysis
        2. Requirements
    2. Incident Response/Recovery
      1. Associated Threats
      2. Plans
        1. Steps
      3. Maintenance
        1. Test plans
        2. Test Results
    3. Templates
    4. Maintenance
    5. Reports BCM
  12. Database Settings
    1. Database Upgrade
    2. Add Existing
    3. Remove
    4. Migrate
    5. Backup
    6. Restore
  13. Glossary
  14. Calculations

6.1.5.Evaluating Risks

RM Studio uses the Risk Profiles to establish a risk assessment model for business entities. A default Risk Profile is displayed if you defined which Categories your asset is a part of. Just to give an example, let’s say define asset #1 as “mobile phones”. Then when you select the Risks tab (1) in the risk assessment you’ll see that it has many threats predefined.

Then you can adjust the impact of the threat (2), the probability of threat (3), and the vulnerability of asset (4). You can then assign a risk owner (5), it’s then his responsibility to follow up and prevent that threat.

RM Studio then update the total risk of the asset when you have filled in the all of the evaluation values for each threat. The calculation is not executed until you save your work.

How RM Studio calculates risk.

The security risk is a factor calculated from the values set for the asset value, significance of threat, probability of threat and vulnerability of assets. The security risk ranges between 0% (minimum) and 100% (maximum), where the range is divided into percentages. The security risk can be reduced by implementing the controls suggested by RM Studio. When all the controls suggested by RM Studio have been implemented, the security risk is reduced to MIN.

The different values for the security threats are calculated as follows:

First risk calculation

The first security risk calculation which is also known as the base security risk starts with a single risk and is commonly based on four variables, the probability of the risk, the impact of the risk, the vulnerability of the asset towards the risk and the value of the asset of which the threat risk is associated with. All of these four variables have been evaluated on the scale between 1 and 5. What we do is we add all the four evaluations together and divide with the highest possible number, that is 20, but we also shift the result by 3 to the left. So we end up having:

(Probability + Impact + vulnerability + value -3) / (20 -3).

The results for various values of these variables can be seen in the four dimensional matrix at the end of the user manual.

Second risk calculation

The second risk calculation is called current security risk or security risk with regards to implemented controls. Each single threat in the system is related to a number of controls from the Standard, which hedge against it. So, for example if we have a threat which was evaluated immense for all the four variables, that particular risk would have the security risk of 100% or Maximum security risk. In this example let’s say that this particular threat is related to 10 controls from the Standard, and let’s say that 8 out of those ten controls have been implemented. We multiply the security risk with the ratio of controls which have not been implemented which in this case is 2/10 so the security risk with regards to implemented controls will go down from 100% to 20%.

Third risk calculation

The third risk calculation is similar to the second risk calculation. It takes into consideration both implemented and future controls while the second risk calculation only takes into consideration implemented controls. If we stick to the example given for the second risk calculation, let’s say that the remaining two controls will be scheduled to be implemented in a couple of months and will be changed to future controls. If we now calculate the security risk with regards to implemented and future controls we will multiply the security risk with the ratio of controls which have not been implemented and have not been defined as future controls. In this example the security risk with regards to implemented and future controls will be 0% or Minimum.

Security risk of an Asset and the Risk Assessment

The Risk calculations start with a single Risk and are calculated for every Risk in the Risk Assessment. An Asset also has a Security Risk. The Security Risk of an Asset is simply the average of all the Security Risks which are associated with that particular Asset. The Risk Assessment also has a Security Risk, this Security Risk is calculated by getting the average of the Security Risks of all the Assets in the Assessment.

Suggest Edit