Risks and their management

Within the framework of the National eGovernment Architecture, we support the reduction or elimination of risks recommendations and methodological materials produced by the NCGIB:

• Minimal-Safety-Standard
• Security Standard for Videoconferencing
• Guidelines for impact assessment

To calculate the risk level of each asset, the equation is used:

Risk = Impact × Threat × Vulnerability

The resulting risk is given as a percentage. Risk is the arithmetic average based on the other attributes included. Or the arithmetic average of the impact, threat and vulnerability values. To determine the resulting risk level, it is necessary to first determine the value-ratios of these attributes.

At the outset, we need to answer the following questions:

• Which rating scale do we want to use?
• How many grades should it have? And what should we name them?
• Is our chosen scale in line with current legislation?
• Will we be able to use the scale in future analyses?

It is up to you how you answer these questions. For example, whether you choose a three-level rating (low-medium-high) or a rating based only on percentages (25%, 50%, 75%) or a rating based on abbreviations, letters or statuses (alpha, bravo, charlie…). In any case, you must be able to express all grades, whatever you call them, in numerical form so that you can calculate the resulting risk. A classic four-stage status scale might look like this:

• Low: up to 25%
• Medium: 26-50%
• High: 51-75%
• Critical: 76-100%