Adapting risk calculation to your needs

The core idea behind risk calculation is that it should allow an organization to score different elements in an objective, repeatable manner. There are many risk calculation methods available such as the OWASP risk rating methodology. These calculation methods will decompose the elements that comprise the likelihood and the impact of problems in different parameters. Ultimately, the goal is to compare things and create a roadmap for fixing problems.

However, these parameters do not always cover the specific needs of an organization. If that is the case, the calculation method should be adapted. We will demonstrate this with a fictional example, using the OWASP risk rating and a hospital. In the OWASP risk rating, the business impact parameters are financial damage, reputation damage, non-compliance and privacy violation. But, for a hospital the safety (health) of a patient is also a very important factor and The standard OWASP risk calculation does not take this into account.

The management of our fictional hospital has decided to change the standard OWASP risk rating. When looking at the business impact factors, they noticed that privacy violations and non-compliance are two different parameters. After some discussion, it is agreed upon that the privacy concern requirements are mainly covered in several pieces of legislation such as GDPR (in Europe) and HIPAA (in the USA), and that most of the impact is in the reputation damage and the potential fines that need to be paid.

The risk calculation that will hence be created will document that privacy violations need to be scored using the existing parameters and a new parameter will be added to replace the privacy violation parameter. The ultimate rationale here is that ‘the safety and health of patients will always take precedence over their privacy’.

This new category now needs a scoring system. The scoring for privacy violations (one individual [3], hundreds of people [5], thousands of people [7], millions of people [9]) does not really translate for safety and health problems.

A better scoring would be:

• One person has minor discomfort (1)
• One person has a minor health impact (3)
• Multiple people have a minor health impact (5)
• One or more people have a major health impact (7)
• One or more people die (9)

Of course, minor, and major health impact needs to be clearly defined, for example, minor health effects do not cause permanent damage or do not require a treatment period longer than two weeks. Major health impact is anything not causing death and covered in the minor impact.

Both the scoring, scale and definitions need to be defined by the hospital and a clear rationale for those choices needs to be documented.