Understanding risk health
Several factors play a part in how Hyperproof determines overall risk health. Below are some common terms associated with risk.
Inherent likelihood - The measure of a risk occurring without any preventative measures (controls) in place.
Example - There is a 3% chance of a data breach occurring this fiscal year.
Example - We expect 10,000 breach attempts with a success rate of 0.03 percent.
Inherent impact - The measure of impact an event has on an organization when there are no preventative measures (controls) in place.
Primary loss - A direct impact from an incident, e.g. a contract breach penalty of $1M.
Secondary loss - The effects from stakeholders, e.g. prospect doesn’t sign due to fear of incident.
Inherent risk - The level of risk if no mitigation is performed.
Example - An organization's customer data leaked because they did not take measures to properly store the data.
Example - An organization's network is hacked because they did not implement any software security protocols.
Residual likelihood - The measure of a risk occurring after implementing risk mitigation measures and controls.
Example - There is still a 5% chance of a security vulnerability occurring in December.
Example - With risk mitigation in place, we still expect 1,000 breach attempts with a success rate of 0.01 percent.
Residual impact - The final measure of impact an event has on an organization after mitigation measures have been implemented.
Primary loss - The organization is ordered to pay $1B in fines.
Secondary loss - The organization's reputation is tarnished.
Residual risk - The level of risk after mitigation, taking into account the health of the controls. Residual risk matches the true state of controls by reducing the mitigation of At risk and Critical controls.
Example - An organization requires employees to change their passwords monthly. This reduces the risk of bad actors guessing passwords, but it also increases the risk of employees using new passwords that are similar to their old passwords.
Example - An organization has implemented an email security service to detect phishing and spam attacks. However, the organization may still receive phishing emails.
Tolerance - The level of risk that an organization is willing to bear.
Mitigation - The action or taken to reduce a risk from actually happening.