 RM Studio uses the Risk Profiles to establish a risk assessment model for business entities. A default Risk Profile is displayed if you defined which Categories your asset is a part of. Just to give an example, let’s say define asset #1 as “mobile phones”. Then when you select the Risks tab (1) in the risk assessment you’ll see that it has many threats predefined.

Then you can adjust the impact of the threat (2), the probability of threat (3), and the vulnerability of asset (4). You can then assign a risk owner (5), it’s then his responsibility to follow up and prevent that threat. RM Studio then update the total risk of the asset when you have filled in the all of the evaluation values for each threat. The calculation is not executed until you save your work.

### How RM Studio calculates risk.

The security risk is a factor calculated from the values set for the asset value, significance of threat, probability of threat and vulnerability of assets. The security risk ranges between 0% (minimum) and 100% (maximum), where the range is divided into percentages. The security risk can be reduced by implementing the controls suggested by RM Studio. When all the controls suggested by RM Studio have been implemented, the security risk is reduced to MIN.

The different values for the security threats are calculated as follows:

First risk calculation

The first security risk calculation which is also known as the base security risk starts with a single risk and is commonly based on four variables, the probability of the risk, the impact of the risk, the vulnerability of the asset towards the risk and the value of the asset of which the threat risk is associated with. All of these four variables have been evaluated on the scale between 1 and 5. What we do is we add all the four evaluations together and divide with the highest possible number, that is 20, but we also shift the result by 3 to the left. So we end up having:

(Probability + Impact + vulnerability + value -3) / (20 -3).

The results for various values of these variables can be seen in the four dimensional matrix at the end of the user manual.

Second risk calculation

The second risk calculation is called current security risk or security risk with regards to implemented controls. Each single threat in the system is related to a number of controls from the Standard, which hedge against it. So, for example if we have a threat which was evaluated immense for all the four variables, that particular risk would have the security risk of 100% or Maximum security risk. In this example let’s say that this particular threat is related to 10 controls from the Standard, and let’s say that 8 out of those ten controls have been implemented. We multiply the security risk with the ratio of controls which have not been implemented which in this case is 2/10 so the security risk with regards to implemented controls will go down from 100% to 20%.

Third risk calculation

The third risk calculation is similar to the second risk calculation. It takes into consideration both implemented and future controls while the second risk calculation only takes into consideration implemented controls. If we stick to the example given for the second risk calculation, let’s say that the remaining two controls will be scheduled to be implemented in a couple of months and will be changed to future controls. If we now calculate the security risk with regards to implemented and future controls we will multiply the security risk with the ratio of controls which have not been implemented and have not been defined as future controls. In this example the security risk with regards to implemented and future controls will be 0% or Minimum.

Security risk of an Asset and the Risk Assessment

The Risk calculations start with a single Risk and are calculated for every Risk in the Risk Assessment. An Asset also has a Security Risk. The Security Risk of an Asset is simply the average of all the Security Risks which are associated with that particular Asset. The Risk Assessment also has a Security Risk, this Security Risk is calculated by getting the average of the Security Risks of all the Assets in the Assessment.

Suggest Edit