2 minute read
Table 3 – Assessment Scale for Overall Likelihood
715 716 717
718 719 720
Advertisement
721 722 723 724
725 726 727 728 729 730 731 732 733 734
735
736
737 738 739 740 741 742 4. Determine the Likelihood of a Threat Exploiting a Vulnerability. In this step, the regulated entity determines the likelihood of a threat successfully exploiting a vulnerability. For each threat event/threat source identified in step 2, consider: • The likelihood that the threat will occur • The likelihood that an occurred threat would exploit a vulnerability identified in step 3 to result in an adverse impact A regulated entity might consider assigning a likelihood value (e.g., very low, low, moderate, high, or very high) to each threat/vulnerability pairing, as shown in Table 3.
Regulated entities should feel free to use a different likelihood scale based on organizational needs.
For example, a regulated entity may determine that the likelihood of a tornado occurring is “Low” (located along the leftmost column of Table 3) but that if it did occur, the tornado would have a “Moderate” likelihood (located along the top of Table 3) of exploiting a weakness in the facility’s physical structure and result in adverse impact.
Using Table 3, the regulated entity locates the intersection of the two individual likelihood values to assign an overall likelihood of “Low” to this threat/vulnerability pairing. As another example, the regulated entity may determine that the likelihood of a phishing attack occurring is “Very High” and that the likelihood of the event exploiting a human vulnerability is “Moderate,” resulting in an overall likelihood rating of “High.”
Table 3 – Assessment Scale for Overall Likelihood
Likelihood of Threat Event Initiation or Occurrence Likelihood that Threat Events Result in Adverse Impacts
Very Low Low Moderate High Very High
Very High Low Moderate High Very High Very High
High Low Moderate Moderate High Very High Moderate Low Low Moderate Moderate High
Low Very Low Low Low Moderate Moderate Very Low Very Low Very Low Low Low Low
The regulated entity could perform this likelihood assessment for each threat/vulnerability pairing. Consider that some threat events, regardless of their likelihood of occurrence, may have no vulnerability to exploit, resulting in a likelihood rating of “Very Low” or even “N/A.” Conversely, some identified vulnerabilities may have no identified threat event that could exploit the vulnerability, also possibly resulting in a likelihood rating of “N/A.”
