Calculating Overall Risk

June 2, 2009

An Overall risk exposure value should be calculated for each server or each application to provide a means for comparison with other servers or applications.  Enough polarisation should exist that the management of servers and applications — i.e. prioritising of changes or compliance efforts — may be controlled more granularly based on both technical and business risk.

Put simply, Overall risk can be calculated as the sum of both Technical and Business risk.  If you follow a similar process to that described by A Simple Security Risk Assessment, you should end up with a Technical risk value for each configuration item examined, and a Business risk value for each server or application that configuration item relates to.

There should be enough variation in the Technical and Business risk values that the Overall risk values calculated per server or per application is polarised enough to allow a risk-based approach to prioritisation of compliance efforts.  Taking into consideration both technical and business risk you can focus on treatment for what is most important to your organisation.

A Simple Security Risk Assessment

This article is part of a five part series on A Simple Security Risk Assessment:

1. Evaluating Industry Standard Risk Methodologies
2. Categorising Threats by Information Asset attributes
3. Assessing Technical Risk
4. Assessing Business Risk
5. Calculating Overall Risk