Understanding risk health
Several factors play a part in how Hyperproof determines overall risk health. Before diving into the calculations, let's first define some common terms associated with risks.
Likelihood - The chance of the risk occurring within a certain time.
Example: There is a 3% chance of a data breach occurring this fiscal year.
Example: We expect 10,000 breach attempts with a success rate of 0.03%.
Impact - The loss experienced by an incident of the risk, e.g. money loss, operation time loss, intangible or tangible asset loss, etc.
Primary loss - A direct impact from an incident, e.g. a contract breach penalty of $1M.
Secondary loss - The effects from stakeholders, e.g. prospect doesn’t sign due to fear of incident.
Tolerance - The level of risk that an organization is willing to bear.
Inherent risk - The level of risk if no mitigation is performed.
Residual risk - The level of risk after mitigation, taking into account the health of the controls. Residual risk matches the true state of controls by reducing the mitigation of At risk and Critical controls.