Information Assurance Risk Matrix Tables with NIST FIPS 199 Potential Impact Table
Note: Continuously monitor assets with a catastrophic impact potential for any increase in likelihood.
Note: Continuously monitor assets with a severe impact potential for any increase in likelihood.
Moderate Risk (4-6) High Risk (7-9)
Convert to
1 Is unlikely to occur in normal circumstances, but could occur at
some time.
Low<40%
Limited adverse effect on organizational operations, organizational assets, or individuals.
LimitedLoss of <33% of
benefits.
Score Likelihood Definition Impact DescriptorSevere or catastrophic adverse effect on organizational
operations, organizational assets, or individuals.Severe/Catastrophic
All potentialbenefits lost.
2 Likely to occur at some time in normal circumstances.
Medium40‐80%
Serious adverse effect on organizational operations, organization assets, or individuals.
SeriousLoss of 33‐66% of
benefits.8 8
POTENTIAL IMPACT
HIGH
CriticalLoss of 80‐100% of
benefits.Significant
Loss of 50‐80% of benefits.Marginal
Loss of 25‐50% of benefits.Negligible
Loss of <25% of benefits.
Low20‐40%
Very Low<20%
Critical long term damage or harm to service users/public.Critical reputation impact. Intervention by other agencies.
Huge financial impact.
Major damage or harm to services users/public.High reputation impact ‐ national press and TV coverage.Minor regulatory enforcement. Major financial impact.
Noticeable damage or ahrm to service users/public.Extensive reputation impact due to press covereage.
External criticism likely. High financial impact.
Minor damage or harm to service users/public.Minor reputation impact. Moderate financial loss.
Insignificant damage or harm to service users/public.Littl or no loss of front line service. No reputation impact.
Is highly likely to occur at some time in normal circumstances.
Likely to occur at some time in normal circumstances.
Likely to occur at some circumstances or at some time.
Is unlikely to occur in normal circumstances, but could occur at
some time.
May only occur in exceptional circumstances, highly unlikely.
NIST FIPS 199, Table 1
3x3 Risk Matrix Likelihood Definitions and Impact Descriptors
LOW MODERATEThe unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
The unauthorized disclosure of information could be
expected to have a limited adverse effect on
organizational operations, organizational assets, or
individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organization assets, or individuals.
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organization assets, or individuals.
The unauthorized disclosure of information could be expected
to have a serious adverse effect on organizational operations, organization assets, or individuals.
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
IntegrityGuarding against improper information modification or destruction, and includes ensuring information non‐repudiation and authenticity.
AvailabilityEnsuring timely and reliable access to and use of information.
LEGEND: Risk Tolerance Threshold Line
Security Objective
8 9Threshold Value
2 3 4 5 6 7
1 2 3
Max. Risk Tolerance
RISK MATRIX SCORING RANGE = 1 to 96Low Risk (1-3) Moderate (4-6) High Risk (7-9)
1
LIK
EL
IHO
OD
3Almost Certain
3 6 9
2Possible
2 4 6
1Rare
9
LEGEND: Risk Tolerance Threshold Line
3 x 3 Risk Matrix
IMPACT
1Limited
2Serious
3Severe
Low Risk (1-3)
4 5 5 6 7 71 1 2 2 3 4
16 20 25Threshold Value
3x3 RISK MATRIX SCORING RANGE = 1 to 9
Low Risk (1-5) Moderate Risk (6-14) High Risk (15-25)
6 8 9 10 12 15
Is highly likely to occur at some time in normal circumstances.
High>80%
1Rare
1 2 3 4 5
2Unlikely
2 4 6 8 10
111 2 3 4 5
Max. Risk Tolerance
5x5 RISK MATRIX SCORING RANGE = 1 to 25
3
2
CatastrophicAll potentialbenefits lost.
(TH
RE
AT
) L
IKE
LIH
OO
D
5Almost Certain
5
4Likely
4
3Possible
3 6 9 12 153 Medium
40‐60%
8 12 16 204 High
60‐80%
Descriptor
1
Score Likelihood
1Insignificant
2Minor
3Moderate
4Major
5Catastrophic
Definition Impact
5 x 5 Risk Matrix
IMPACT (IF BREACH WERE TO OCCUR)
10 15 20 255 Very High
>80%
5x5 Risk Matrix Likelihood Definitions and Impact Descriptors
Instructions: Decrease INHERENT RISK by applying SAFEGUARDS to minimize the LIKELIHOOD that a THREAT will compromise a VULNERABILITY in an information system, security policy, or internal control; so that the RESIDUAL RISK falls below the Risk Tolerance Threshold Line. Examples of mitigating controls or COUNTERMEASURES include: 1). Top 20 Critical Security Controls; 2). NIST SP‐800 53 Revision 4 Security Controls; 3). Tailor NIST SP‐800 53 Revision 4 Security Controls by applying Security Control Enhancements and hardening organizationally‐defined values and selections; 5). Increase the Maximum Risk Tolerance Threshold value.
Print Date: 2/19/2014 Page 1 of 1 Contact: James W. De Rienzo
Top Related