Cyber Risk Calculation

A simple 5 x 5 matrix for

smarter decisions
What are cyber risks?

Cyber risks are those threats and

vulnerabilities that could negatively
impact an organisation’s assets,
including data, hardware, software,
and ongoing operations.
5 x 5 Risk Matrix
A 5 x 5 risk matrix is comprising Likelihood of
an incident or a risk occurring and Severity
scores, means the overall severity of that risk.

Severity

Likelihood
1 2 3 4 5

Low Low Low Medium Medium

1
1 2 3 4 5

Low Medium Medium High High

2
2 4 6 8 10

Low Medium High High Extreme

3
3 6 9 12 15

Medium High High High Extreme

4
4 8 12 16 20

Medium High Extreme Extreme Extreme

5
5 10 15 20 25
Likelihood
Also called probability, pertains to the extent
of how likely it is for a risk to occur.

1. Rare – unlikely to happen and/or have

minor or negligible consequences
2. Unlikely – possible to happen and/or to
have moderate consequences
3. Moderate – likely to happen and/or to
have serious consequences
4. Likely – almost sure to happen and/or to
have major consequences
5. Almost certain – sure to happen and/or
have major consequences
Example
If your data centre is located right next to an
active volcano, you would probably want to
say that the likelihood is almost certain. Or at
least likely that there may be an adverse
event that affects the data centre.

Likelihood
Severity
Also referred to as impact or consequence.
The severity aims to determine the level of
effects the risk can cause to your
organization.

1. Insignificant – won’t cause serious issues

2. Minor – can cause issues, only to a mild
extent
3. Significant – can cause issues that may
require immediate attention but limited
treatment
4. Major – can cause irreversible issues
extensive attention
5. Severe – can result in devastating issues
Example
Coming back to that volcano example
again.

If the prevention of lava taking down your

data centre is not something you plan for, it
would result in a very severe reaction or
event for your data centre.

No
plan
Calculating the risks
Likelihood x Severity = Risk Level

The first step is to assign a numeric value

from 1 to 5−1 being the lowest−for each of
the categories under Likelihood and
Severity.
Risk level
1-3: Acceptable – no further action may be
needed, and maintaining control measures is
encouraged

4-5: Adequate – may be considered for

further analysis

8-12: Tolerable – must be reviewed

promptly to carry out improvement
strategies

15-25: Unacceptable – must implement

cease in activities and endorse for immediate
action
Risk level
You will notice that the 4x4, the high of 16,
should probably be red or extreme.

It's almost a floating factor where some

businesses will decide whether it is high or
extreme based on the type of risk and the
mitigating controls deployed.

That’s up to you.
Implement risk management
strategies
Once the risks have been accurately scored,
you're going to implement strategies to
manage and mitigate them.

This can include

Deploying technological solutions,
Implementing policies and procedures,
Conducting training and awareness
programs for employees.
Are you ready to tackle the complexities
of the NIS2 directive and ensure your
organisation's compliance?
Join our final NIS2 webinar in the series “NIS2
Compliance – How to prepare your organisation
in 90 days”.

Apr 11, 2024, 1 - 1.40 PM (CET)

Topics: Business Continuity and Disaster
Recovery, Cryptography and Encryption,
Incident Handling and Reporting

P.S. You missed webinar 1 & 2? No worries, you’ll

get the recordings.