Risk Rating

Calculating and Communicating Security Risk

1 Concept
2 Risk Matrix
3 Calculator
4 Quiz

What is Risk Rating?

Risk rating is the process of assigning a severity level to security risks so organizations can prioritize their response. Not all risks are equal — a critical vulnerability in a public-facing server needs immediate attention, while a low-severity issue on an isolated test system can wait.

Risk = Likelihood × Impact

The fundamental risk equation used across security frameworks

Two Key Factors

Likelihood: How probable is it that this risk will materialize? Consider threat actor capability, vulnerability exploitability, and existing controls.

Impact: If the risk occurs, what's the damage? Consider financial loss, reputation damage, regulatory penalties, and operational disruption.

Qualitative vs Quantitative

Qualitative Risk Assessment

  • Uses descriptive categories (Low, Medium, High, Critical)
  • Faster and easier to perform
  • Subjective — different analysts may rate differently
  • Good for initial triage and prioritization
  • Most common in day-to-day SOC operations

Quantitative Risk Assessment

  • Uses numerical values and dollar amounts
  • More precise but requires more data
  • Objective — based on actual metrics
  • Better for executive reporting and budgeting
  • Uses formulas like ALE = SLE × ARO

The Risk Matrix

A risk matrix visualizes the relationship between likelihood and impact. Click any cell to see how that risk level should be handled:

Very Low
Low
Medium
High
Very High
Very High
Medium
High
High
Critical
Critical
High
Low
Medium
High
High
Critical
Medium
Low
Low
Medium
High
High
Low
Low
Low
Low
Medium
High
Very Low
Low
Low
Low
Low
Medium

Interactive Risk Calculator

Select likelihood and impact levels to calculate overall risk rating:

Likelihood
Very Low (1)
Low (2)
Medium (3)
High (4)
Very High (5)
Impact
Very Low (1)
Low (2)
Medium (3)
High (4)
Very High (5)

Score Interpretation

1-5: Low Accept or monitor. Address during normal maintenance cycles.
6-12: Medium Plan remediation. Address within 30-90 days.
13-19: High Prioritize remediation. Address within 7-30 days.
20-25: Critical Immediate action required. Address within 24-72 hours.

Risk Rating Quiz

Test your understanding. You need 80% (4/5) to pass.

Q1. The fundamental risk equation is:
Risk = Threat + Vulnerability
Risk = Impact ÷ Likelihood
Risk = Likelihood × Impact
Risk = Threat × Control
Q2. A risk has HIGH likelihood but LOW impact. How would it typically be rated?
Critical
Medium
Low
Cannot be determined
Q3. Which type of risk assessment uses dollar values and precise metrics?
Quantitative
Qualitative
Subjective
Categorical
Q4. A CRITICAL risk should typically be addressed within:
6 months
30-90 days
7-30 days
24-72 hours
Q5. In a 5×5 risk matrix, a likelihood of 4 and impact of 5 would produce a risk score of:
9
20
45
25

Quiz Complete!

0/5