All Collections
Risk reports
Risk quantification impact settings
Risk quantification impact settings

Explains how we quantify risk & how to adjust your impact settings

Updated over a week ago

Human cyber risk quantification

Risk quantification is based on the likelihood of each risk outcome occurring, and the impact that outcome might have. The quantified risk score is between 1 and 5, which is mapped to the risk categories Low, Medium, High, and Very high.


Likelihood is the probability a given risk outcome will occur.

The likelihood score is based on the combination of our Human cyber risk factors, which include Security behaviours, Knowledge and understanding, Attitude, Confidence, and more.

Likelihood is represented as a score between 1 and 5, which are mapped to the likelihood categories Remote, Unlikely, Possible, Likely


Impact is the extent to which a risk outcome might affect the organisation.

For each of the risk outcomes there are three impact factors we include in the impact score calculation.

Impact is represented as a score between 1 and 5, which are mapped to the likelihood categories Minor, Moderate, Major, Extreme

Expected monetary loss

Expected monetary loss uses a numeric value to indicate the relative financial impact resulting from the occurrence of a risk outcome. It helps contextualise the impact and is critical to the calculation of risk.

The score for Expected monetary loss is from 1 to 4 and is mapped to the monetary range below.

  1. Less than $10,000

  2. Between $10,000 and $99,999

  3. Between $100,000 and $999,999

  4. Over $1,000,000

Expect level of effort

The level of effort to remediate is determined by things such as security posture, security team expertise and capacity, or even organisational structure.

The score for Expected level of effort is from 1 to 4 and is mapped to the amount of relative effort required.

  1. None

  2. Very little

  3. A fair amount

  4. A lot

Expected level of disruption/discomfort

This level of disruption/discomfort may be determined by things such as a sensitive business context, number of jurisdictions likely to be affected, or the level of public visibility and exposure.

The score for Expected level of disruption ranges from 1 to 4 and is mapped to the amount of relative disruption/discomfort you might experience.

  1. None

  2. Very little

  3. A fair amount

  4. A lot

Impact scores

Each risk outcome has its own impact score that is based on the three impact factors of expected monetary loss, expected level of effort, and expected level of disruption shown above.

In the Risk outcome reports, impact can be seen on the risk outcome banner.

The impact factors are customisable, each with a value between 1 and 4. There is a guide for this at the end of this article.

The three impact factor values are multiplied together to create an combined score between 1 (1x1x1) and 64 (4x4x4).

The combined score is mapped using the below chart to determine the impact score (1 to 5) and impact category (Minor, Moderate, Major, Extreme)

Changing impact settings

Each impact factor for each risk outcome is customisable. Until you change them, we have the default settings that give a Major impact category.

The default impact settings

  • Expected monetary loss - 3 ($100k to $1 million)

  • Expected level of effort - 2 (Very little)

  • Expected level of disruption - 2 (Very little)

Impact settings can only be changed by someone with an Admin role.

Step by step guide

1. Go to the Impact settings page

You’ll find the Impact settings page by navigating in the left hand menu Reports > Risk, then clicking the Impact settings tab.

2. Select the risk outcome

Choose the risk outcome you want to change the impact settings for using the dropdown menu.

3. Change the impact factor values

You can use either the slider or the text box to set each impact factor to a number between 1 and 4.

You will see the Impact category at the bottom of the section will change to show the category based on the settings.

4. Save your changes

Save the changes you want to apply to the risk outcome score by clicking the green 'Apply' button.

This will immediately change the risk outcome score and is applied retrospectively. You can change the impact settings as much as you want without making peaks and dips in the risk scores over time charts.

Impact setting guidance

Assessing risk impact is highly subjective to your organisation. We recommend that you speak with the risk professionals in your organisation for their input on how to assess human cyber risk impact. Reach out to us for support if you aren’t able to speak with risk professionals.

Still have questions?

If you still have questions, you can contact the CybSafe team via We’re on hand to help resolve any further issues!

Did this answer your question?