New Qualitative Model Helps Measure Security Risk Reduction

The vulnerabilities we identified for this network are associated with the controls we use primarily for ensuring the integrity and availability of our network. We also identified these as our greatest risks in Step 1.

Step 4: Adjust controls

Identify risk-mitigation steps or opportunities for further risk reduction. In our example, we propose the following risk-mitigation steps to complement existing controls and further reduce our greatest risks:

Step 5: Estimate ROR

A basic ROR calculation for vulnerability intelligence services uses the potential loss amounts from Step 1 and estimated values for control effectiveness.

The estimates for control effectiveness don't actually affect the ROR result. ROR is a function of potential loss and the change in control effectiveness. If the proposed controls are 20 percent more effective at addressing risks, the reduction of risk is 20 percent of the potential loss amount (see Exhibit 2).

We estimate that adding a new control, vulnerability intelligence, will increase the effectiveness of our integrity and availability controls by 20 percent. This translates to a 20 percent reduction in downtime, a 20 percent decrease in virus infections, or a 20 percent reduction in time spent patching or fighting virus infection. These metrics can be used to validate this calculation and verify that we have reduced risk.