The more precisely a risk can be assessed, the more easily it can be prioritized. However, the traditional model of assessing risk by multiplying potential loss by the likelihood of occurrence is too simple to result in an accurate assessment, writes Roger A. Grimes. Today's computer security environment is more complicated, requiring a larger set of variables for framing a risk, he writes in a post at InfoWorld. 

Grimes offers a long list of risk-assessment categories that he reviews when he learns of new threats, conceding that the list is possibly too long to really be workable. The first category is "knowledge of exploit by possible attackers." An exploit that is publicly known and not popularly used is a higher risk than an exploit that is privately known and not being used against a customer.

The second category is "level of access required for attack." The highest risk threat would be "truly remote" and easily automated, while the lowest in this category would be one that requires local, physical, interactive or logged-on access.

The payload reaped from a successful attack is another category which Grimes factors into his risk assessment. The highest risk is one that results in full compromise, but those that result in privilege escalation, a lot of damage or access to a lot of other assets are also high risk. The mitigations that can be applied should be factored in as well. If a patch is available from a vendor, it is a relatively low risk, and if a patch is available from a third party, it is a medium risk. 

To make all of these categories more manageable, Grimes came up with a spreadsheet to rank the risk on a scale of one to five. His spreadsheet and a sample are available via the link below.

For more:
- see Roger A. Grimes' post at InfoWorld

Related Articles:
Eight steps to risk-oriented security 
NIST issues IT risk management guidance, rounding out Joint Task Force suite
Orbitz CISO's advice on managing vulnerabilities
Privacy, security legislation coming in 2011 could affect enterprise IT