Risk quantification is based on the likelihood of each risk outcome occurring, and the impact that outcome might have. The quantified risk score is between 1 and 5, which is mapped to the risk categories Low, Medium, High, and Very high.

Likelihood is the probability a given risk outcome will occur.

The likelihood score is based on the combination of our Human cyber risk factors, which include Security behaviours, Knowledge and understanding, Attitude, Confidence, and more.

Likelihood is represented as a score between 1 and 5, which are mapped to the likelihood categories Remote, Unlikely, Possible, Likely

Impact is the extent to which a risk outcome might affect the organisation.

For each of the risk outcomes there are three impact factors we include in the impact score calculation.

Impact is represented as a score between 1 and 5, which are mapped to the likelihood categories Minor, Moderate, Major, Extreme

Expected monetary loss uses a numeric value to indicate the relative financial impact resulting from the occurrence of a risk outcome. It helps contextualise the impact and is critical to the calculation of risk.

The score for Expected monetary loss is from 1 to 4 and is mapped to the monetary range below.

The level of effort to remediate is determined by things such as security posture, security team expertise and capacity, or even organisational structure.

The score for Expected level of effort is from 1 to 4 and is mapped to the amount of relative effort required.

This level of disruption/discomfort may be determined by things such as a sensitive business context, number of jurisdictions likely to be affected, or the level of public visibility and exposure.

The score for Expected level of disruption ranges from 1 to 4 and is mapped to the amount of relative disruption/discomfort you might experience.

Each risk outcome has its own impact score that is based on the three impact factors of expected monetary loss, expected level of effort, and expected level of disruption shown above.

In the Risk outcome reports, impact can be seen on the risk outcome banner.

The impact factors are customisable, each with a value between 1 and 4. There is a guide for this at the end of this article.

The three impact factor values are multiplied together to create an combined score between 1 (1x1x1) and 64 (4x4x4).

The combined score is mapped using the below chart to determine the impact score (1 to 5) and impact category (Minor, Moderate, Major, Extreme)

Each impact factor for each risk outcome is customisable. Until you change them, we have the default settings that give a Major impact category.

The default impact settings

Impact settings can only be changed by someone with an Admin role.

You’ll find the Impact settings page by navigating in the left hand menu Reports > Risk, then clicking the Impact settings tab.

Choose the risk outcome you want to change the impact settings for using the dropdown menu.

You can use either the slider or the text box to set each impact factor to a number between 1 and 4.

You will see the Impact category at the bottom of the section will change to show the category based on the settings.

Save the changes you want to apply to the risk outcome score by clicking the green 'Apply' button.

This will immediately change the risk outcome score and is applied retrospectively. You can change the impact settings as much as you want without making peaks and dips in the risk scores over time charts.

Assessing risk impact is highly subjective to your organisation. We recommend that you speak with the risk professionals in your organisation for their input on how to assess human cyber risk impact. Reach out to us for support if you aren’t able to speak with risk professionals.