2. Assess
Learn how to assess risk in Dastra.
Dernière mise à jour
Learn how to assess risk in Dastra.
Dernière mise à jour
Based on the elements you've identified in the risk type and the asset context, you now need to assess the risk.
This assessment is based on probability and impact.
Determining the risk scale
To assess risk, we need to position these two values on a scale. This is the risk scale. This scale is generally based on 5 levels. In France, the Ebios method (promoted by the CNIL and ANSSI in particular) uses a 4-level scale.
For each level, a condition of application must be determined. The scale may correspond to a financial amount, for example (in terms of impact).
Dastra's scale can be customized. You can modify it by going to the workspace settings (note that only the administrator has access).
Probability (likelihood)
Probability is an evaluation of the frequency of occurrence of a risk. It is an empirically evaluated score (traditionally rated out of 5). Each risk level can correspond to a frequency of occurrence of the risk (and therefore of the threat).
Impact (severity)
The impact corresponds to the evaluation of the consequence of a feared event on the company. It is the severity of this consequence that is estimated.
Depending on the assessed risk, this impact may vary. This assessment can be estimated empirically. For example, by estimating the cost of a data leak or data unavailability following a computer attack. Event logs can help to put these past experiences into practice.
If we're talking about risks concerning individuals (in the context of the GDPR, for example), the impact will correspond to the harm suffered by the people concerned and the infringement of their rights and freedoms. We've already mentioned discrimination, the refusal of a contract, an inconvenience.
We can assume that assessment is always contextual.
However, a methodology published by the CNIL for conducting privacy impact assessments provides a grid for reading the scale of risks.
Here is the table proposed by the CNIL in its PIA guide:
Negligible
The people concerned will not be affected, or may experience some inconvenience, which they will be able to overcome without difficulty.
-Lack of adequate care for a non-autonomous person (minor, person under guardianship)
- Transient headaches
-Time wasted repeating procedures or waiting for them to be completed - Receipt of unsolicited mail (e.g. spam) - Reuse of data published on websites for targeted advertising purposes (information from social networks reused for a paper mailing) - Targeted advertising for everyday consumer products
-Simple annoyance at information received or requested - Fear of losing control of one's data - Feeling of invasion of privacy without any real or objective harm (e.g. commercial intrusion) - Loss of time setting up one's data - Non-respect of freedom to come and go online due to refusal of access to a commercial site (e.g. alcohol due to incorrect age).
Limited
The people concerned could experience some significant inconvenience, which they will be able to overcome despite a few difficulties.
-Minor physical ailment (e.g. benign illness due to non-compliance with contraindications) - Lack of care causing minimal but real harm (e.g. disability) - Defamation giving rise to physical or psychological reprisals
-Unscheduled payments (e.g.: incorrectly assigned fines), additional costs (e.g.: agios, legal fees), non-payment - Denial of access to administrative or commercial services - Lost convenience opportunities (e.g.: cancellation of leisure activities, purchases, vacations, closure of an online account) - Missed professional promotion - Account for online services blocked (e.g.: games, administration) - Receipt of targeted mailings Lost opportunities for comfort (e.g.: cancellation of leisure activities, purchases, vacations, closure of an online account) - Missed professional advancement - Account blocked for online services (e.g.: games, administration) - Receipt of unsolicited targeted mail likely to damage the reputation of the persons concerned - Increased costs (e.g.: increase in the price of insurance). Processing of erroneous data, e.g. creating account malfunctions (bank, customer, social security, etc.) - Targeted online advertising on a private aspect that the individual wished to keep confidential (e.g. pregnancy advertising, pharmaceutical treatment) - Inaccurate or abusive profiling.
-Refusal to continue using information systems (whistleblowing, social networks) - Minor but objective psychological harm (defamation, reputation) - Relationship difficulties with personal or professional contacts (e.g. image, tarnished reputation, loss of recognition) - Feeling of invasion of privacy without irremediable harm - Intimidation on social networks
Important
The people concerned could experience significant consequences, which they should be able to overcome, but with real and significant difficulties
-Serious physical condition causing long-term damage (e.g. worsening of health condition due to poor treatment or failure to comply with contraindications) - Alteration of physical integrity, e.g. as a result of an assault, domestic accident, work accident, etc.
-Non-compensated embezzlement - Non-temporary financial difficulties (e.g.: obligation to take out a loan) - Targeted, one-off, non-recurring opportunities lost (e.g.: real estate loan, refusal of studies, internships or employment, exam ban) - Bank ban Targeted, one-off, non-recurring lost opportunities (e.g. home loan, refusal of studies, internships or jobs, exam ban) - Bank ban - Damage to property - Loss of home - Loss of job - Separation or divorce - Financial loss following a scam (e.g. after a phishing attempt) - Blocked abroad - Loss of customer data
-Serious psychological condition (e.g. depression, development of a phobia) - Feeling of invasion of privacy and irremediable harm - Feeling of vulnerability following a summons - Feeling of infringement of fundamental rights (e.g. discrimination, freedom of expression) - Victim of blackmail - Cyberbullying and mobbing
4. Maximale
The people concerned could experience significant, even irremediable, consequences that they may not be able to overcome.
-Long-term or permanent physical ailment (e.g. following non-compliance with a contraindication) - Death (e.g. murder, suicide, fatal accident) - Permanent impairment of physical integrity
-Financial peril - Substantial debts - Inability to work - Inability to relocate - Loss of evidence in litigation - Loss of access to vital infrastructure (water, electricity)
-Long-term or permanent psychological condition - Criminal sanction - Abduction - Loss of family ties - Inability to take legal action - Change in administrative status and/or loss of legal autonomy (guardianship)
On this scale, the following contextual elements must be taken into account:
the identifying nature of the data ;
the nature of the sources of risk ;
the number of interconnections (in particular with other countries) ;
the number of recipients (which facilitates the correlation of initially separate data).
To assess probability, the CNIL suggests the following scale:
Negligible
it doesn't seem possible that the sources of risk selected can carry out the threat by relying on the characteristics of the media (e.g.: theft of paper media stored in an organization's premises, access to which is controlled by badge and access code).
Limited
it seems difficult for the selected risk sources to realize the threat based on the media's characteristics (e.g.: theft of paper media stored in an organization's premises to which access is controlled by badge).
Important
for the selected risk sources, it seems possible to achieve the threat by relying on the characteristics of the media (e.g. theft of paper media stored in the offices of an organization to which access is controlled by a receptionist).
Maximal
it seems extremely easy for the selected risk sources to carry out the threat based on the characteristics of the media (e.g.: theft of paper media stored in the organization's public hall).
On this scale, the following contextual elements need to be taken into account:
whether the system is open to the Internet or closed;
whether or not data is exchanged with other countries;
interconnections with other systems or no interconnections at all;
system heterogeneity or homogeneity;
system variability or stability;
the organization's image.