[RED] Risk Evaluation Assessment Study – The Rubicon Advisory Group

Does knowing too much about a risk unduly introduce bias into the risk assessment process?

Hypothesis

Knowing too much information, like the asset, data at risk or the threat actor, influences our ability to effectively make risk based decisions and introduces biases in how we evaluate and make assessment recommendations, and ultimately how we perceive risk.

A risk scenario in which a loss occurs that exceeds the risk appetite, should not be downplayed in the assessment process due to subconscious or conscious biases. Conversely, a risk scenario which falls within our appetite and tolerance for risk, should not be overemphasized by those same biases.

Goal

Determine if individuals consistently assess risks, with the same results, or if there is a significant deviation in their approach to the evaluation and assessments made.

Testing Details

This study will utilize A/B testing. Each pool will contain scenarios from each of the individual assessment categories (2 from Accept, 2 from Avoid, 2 from Mitigate, and 2 from Transfer) with the remaining two random scenarios being from any of the four assessment categories.

- A total of 10 scenarios will be provided to the participating assessor.
- Five of the scenarios will be represented purely based on quantitative values only.
- Five of the scenarios will be represented in qualitative terms.
- Four scenarios will be the same scenario, just presented differently.
- Two scenarios will be unrelated.

The scenario relationships have been randomized and will require evaluation and assessment being performed solely in context of the scenario displayed.

Assessment recommendation

Given the criteria provided and in context of only the scenario being viewed, review each scenario and recommend whether the scenario should be:

- Accepted – scenario is within tolerable boundaries, as defined.
- Avoided – scenario exceeds both the tolerable boundaries and value/benefit to be gained.
- Mitigated – scenario exceeds tolerable boundaries, as defined. However value to be gained is greater than the cost of mitigation.
- Transferred – scenario is a low frequency-high impact event.

As previously mentioned, the scenario relationships have been randomized and will require evaluation and assessment being performed solely in context of the scenario displayed.

Industry

Roles & Responsibilities

Industry Experience

Country

Organization Size

Scenario f8420c08771158cfcf08e3e283e02877

During COVID 19, employees working from home, but leave HIPAA information readily accessible to plain view.

The risk scenario's threat event frequency is	: rare
The threat scenario's loss magnitude is stated to be	: immaterial
The following number of control objectives are in place	: 4
The risk scenario's asset is	: Compliance/Legal
The threat actor/community in this scenario is	: internal-user-errors
The scenario event is considered to be	: Disclosure
The type of threat experienced is considered	: Accidental
This scenario's likelihood of occurrence is	: 16.79%
This event occurs	: Internal
This event is considered	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario ea1932f791630899a8a86c85a77c5061

The client estimated losses are	: $12,361,394
The scenario's median single loss event cost is	: $0
The scenario's minimum single loss event cost is	: $0
The scenario's maximum single loss event cost is	: $32,494,335
The scenario's median annual loss exposure costs	: $0
The scenario's Value at Risk is	: $26,127,854
The scenario's median loss event frequency	: 0
The scenario's minimum loss events were	: 0
The scenario's maximum loss events were	: 1
The scenario's cost of controls is	: $7,709,419
The scenario's Value & Benefit to be gained	: $9,780,884
This scenario's likelihood of occurance is	: 12.50%
Is this event internal or external?	: External
Is this event reportable?	: Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario d7026463ab153871ce22727d42e47db8

Changes in State legislation created changes in payment methodology, re-characterization, order of operations, etc. in payment methodologies.

The risk scenario's threat event frequency is	: frequent
The threat scenario's loss magnitude is stated to be	: immaterial
The following number of control objectives are in place	: 3
The risk scenario's asset is	: Financial
The threat actor/commmunity in this scenario is	: State Legislation
The scenario event is considered to be	: Interruption
The type of threat experienced is considered	: Regulatory requirement
This scenario's likelihood of occurence is	: 69.88%
This event occurs	: External/Public Facing
This event is considered	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario 2ce75343f983496b58f8983ed8866049

The client estimated losses are	: $1,622,425
The scenario's median single loss event cost is	: $1,415,489
The scenario's minimum single loss event cost is	: $339,853
The scenario's maximum single loss event cost is	: $2,249,410
The scenario's median annual loss exposure costs	: $3,021,438
The scenario's Value at Risk is	: $5,178,229
The scenario's median loss event frequency	: 2
The scenario's minimum loss events were	: 1
The scenario's maximum loss events were	: 4
The scenario's cost of controls is	: $2,004,261
The scenario's Value & Benefit to be gained	: $2,457,845
This scenario's likelihood of occurance is	: 54.12%
Is this event internal or external?	: Internal
Is this event reportable?	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario 9328b9f40b83a09e8eea1effe8dd3ba1

A lack of intrusion detection and prevention at multiple layers of the network allows a skilled threat actor to exfiltrate patient PHI. Approximately 250,000 unique customer records.

The risk scenario's threat event frequency is	: rare
The threat scenario's loss magnitude is stated to be	: significant
The following number of control objectives are in place	: 4
The risk scenario's asset is	: Customer Data
The threat actor/commmunity in this scenario is	: criminal-syndicate
The scenario event is considered to be	: Theft
The type of threat experienced is considered	: Malicious
This scenario's likelihood of occurence is	: 12.50%
This event occurs	: External/Public Facing
This event is considered	: Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario e88910a2896897ebf43665f5c26cf29a

The client estimated losses are	: $1,622,425
The scenario's median single loss event cost is	: $1,422,478
The scenario's minimum single loss event cost is	: $339,956
The scenario's maximum single loss event cost is	: $2,249,880
The scenario's median annual loss exposure costs	: $11,655,981
The scenario's Value at Risk is	: $15,577,314
The scenario's median loss event frequency	: 8
The scenario's minimum loss events were	: 6
The scenario's maximum loss events were	: 12
The scenario's cost of controls is	: $6,029,282
The scenario's Value & Benefit to be gained	: $7,393,768
This scenario's likelihood of occurance is	: 69.88%
Is this event internal or external?	: External
Is this event reportable?	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario 69730a05d0c876625575d95477f9e130

IT Management wants emergency approval to patch a new zero-day exploit that was recently reported and affects 100 servers on the internal network which are not public facing. Approving the request would mean that there would be losses associated with business operations, as this would require surging the current IT staff (8 full time employees) with 18 external contractors for a period of four weeks to implement, a network outage of 120 hours to 192 hours (impacting employee productivity and disrupting the business) to fix, and delaying two key business initiatives for between four to six weeks.

The risk scenario's threat event frequency is	: Occassional
The threat scenario's loss magnitude is stated to be	: Material
The following number of control objectives are in place	: 12
The risk scenario's asset is	: Organization
The threat actor/commmunity in this scenario is	: information-technology-department
The scenario event is considered to be	: Ineffective execution
The type of threat experienced is considered	: Failure
This scenario's likelihood of occurence is	: 92.13%
This event occurs	: Internal
This event is considered	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario 912c1ee061897d9dd187f5c94948dd37

The client estimated losses are	: $1,622,425
The scenario's median single loss event cost is	: $0
The scenario's minimum single loss event cost is	: $0
The scenario's maximum single loss event cost is	: $2,249,683
The scenario's median annual loss exposure costs	: $0
The scenario's Value at Risk is	: $1,587,767
The scenario's median loss event frequency	: 0
The scenario's minimum loss events were	: 0
The scenario's maximum loss events were	: 1
The scenario's cost of controls is	: $614,554
The scenario's Value & Benefit to be gained	: $753,633
This scenario's likelihood of occurance is	: 16.79%
Is this event internal or external?	: Internal
Is this event reportable?	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario 49a01bb402d68fbf88779af8e3b19e57

Third party business email compromise results in successful targeted spear phishing attack, compromising credentials and access to and exfiltration of confidential information.

The risk scenario's threat event frequency is	: occasional
The threat scenario's loss magnitude is stated to be	: moderate
The following number of control objectives are in place	: 5
The risk scenario's asset is	: Business Data/Information
The threat actor/commmunity in this scenario is	: external-attacker
The scenario event is considered to be	: Theft
The type of threat experienced is considered	: Malicious
This scenario's likelihood of occurence is	: 54.12%
This event occurs	: External/Public Facing
This event is considered	: Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

Scenario 2a3ca14e6217d4a49a8d8554d268ddd7

The client estimated losses are	: $32,660,107
The scenario's median single loss event cost is	: $47,861,641
The scenario's minimum single loss event cost is	: $33,350,700
The scenario's maximum single loss event cost is	: $62,372,582
The scenario's median annual loss exposure costs	: $37,340,599
The scenario's Value at Risk is	: $42,062,689
The scenario's median loss event frequency	: 1
The scenario's minimum loss events were	: 0
The scenario's maximum loss events were	: 4
The scenario's cost of controls is	: $13,859,206
The scenario's Value & Benefit to be gained	: $4,422,009
This scenario's likelihood of occurance is	: 92.13%
Is this event internal or external?	: Internal
Is this event reportable?	: Non-Reportable

Toggle the display of Assessor Guidance criteria

The following information is provided for you to make your assessment.

Quantitative Values

Aggregated Risk Appetite	$30M per year
Max. Single Loss Event appetite	$3M per event
Standard Event Tolerance:	Three Loss Events per year
Maximum single loss event ceiling is	$3M

Qualitative Ranges - Loss Magnitudes

Immaterial	Resulting costs could between: $337K and $2.25M An event of this magnitude can easily be absorbed during normal business operations; often considered the cost of doing business.
Moderate	Resulting costs could between: $2.4M and $6.25M Organization changes to business processes, acquire new or enhance existing capabilities/controls or staff in order to adapt and meet changes to industry or market trends, additional regulatory or contractual requirements, or due to non-customer impact security incident.
Significant	Resulting costs could be between: $7.5M and $32M Organization changes required due to increased regulatory findings, introduction of new legislation, or other business impacting incident occurs.
Material	Resulting costs could be between: $33M and $75M An event of this magnitude may result in regulatory censure, an increase in oversight by industry authority, governmental consent order(s) or mandated/compelled conformance with enhanced external audit requirements.
Catastrophic	Resulting costs could exceed $76M An event of this magnitude will most likely result in the organization’s very existence being called into question; regulatory body may dissolve or restructure the organization.

Qualitative Ranges - Threat Event Frequency

Recurring	May occur every other week to once a week (24-52 times per year)
Frequent	May occur every other month or every month (6-12 times per year)
Occasional	May occur once a year to once a quarter (1-4 times per year)
Rare	May occur once every two years, but could happen.
Unlikely	May occur once every five years, but could happen.

Location & Reporting Requirement

Internal – event occurs within the organization’s management boundaries
External/Public Facing – event occurs outside of the organization’s management boundaries
Reportable – event is required to be reported to an external regulatory body
Non-Reportable – event is not-required to be reported to an external regulatory body

Event Classification

Disclosure - unintentional release of controlled/regulated information, lacking malicious intent
Interruption - disruption which prevents work to be performed or services provided
Modification – the manipulation of data from its original state
Theft – the unlawful acquisition of an asset (physical or logical)
Destruction – the act of rendering the asset unusable by the organization
Ineffective design - no control objective (i.e., policy, procedure, technology) designed for use
Ineffective execution – not properly configured resulting in a failure to perform as designed
Internal policies – define the expected behavior of business users
Internal procedures – provide the specific steps required to accomplish a process
Contractual violation – violation of requirements established under the terms and conditions of an executed contract
Regulatory violation – violation of requirements established by a regulatory body
Statutory violation – violation of requirements established by a legal authority
Inappropriate use – use which is outside of required business use or need

Threat Type

Malicious – event occurs due to deliberate malicious intent
Accidental – event occurs lacking malicious intent
Error – event occurs which is a deviation from planned accuracy or correctness
Failure – event occurs which prevents meeting the planned or intended objective
Natural – event occurs due to natural causes
Contractual requirement – requirement defined within a contract between two parties
Regulatory requirement – requirement defined by a regulatory body
Statutory requirement – requirement defined by a legal authority

How should we treat this risk?

Please provide details on why you selected this recommendation

If you are interested in receiving the results of the study please provide your email address below: