You estimate the incident risks, i.e. a threat realizing on particular assest, by using the »Estimate« push button (see figure below).
A popup dialog window will appear. The window (see figure below) contains the following information:
- Name of the asset involved in risk estimation
- Name of the threat involved in risk estimation
- List of asset vulnerabilites that threat is exploiting
- Your estimated frequency of incident occourence
- Your defined busines impact of incident
- Optional description as memo or note for risk estimation
You estimate the risk by:
- Estimating frequency of incident occourence
- Defining business impacts, i.e. consequences of incident
You estimate the frequency of incident occourence by selecting one descriptive freqency fitting best your situation. You define the business impacts by selecting one or more predefined business impacts from drop down list.
You have to determine incident freqeuncy as well as incident business impacts to generate risk estimation (see the figure below). Please note that you can not change the severity of business impact (green, yellow or red in presented case) as these levels have been predefined by Risk Manager prior starting the risk assesment process. This restriction provides consistency in risk estimations performed by different estimators.
The total risk score is shown in the right-hand vertical bar of popup dialog.
You save the results by pressing the »Save« button.
The estimated risks are clearly indicated in the »Risk estimation« tab by displaying the estimated value on corresponding green, yellow or red rectangle (see figure bellow).
You may repeat the estimation anytime you like, if the involved risks have not been accepted yet by responsible manager.
Once you have estimated at least one risk you may proceed to Risk Treatment phase.