Grand Duchy of Luxembourg
Advice & Guidance
Basic criteria for risk analysis

Basic criteria for risk analysis

In Brief

When defining the context in which risk management will be carried out, it will be a matter of establishing basic criteria, which will serve both to analyse the risks of the organisation, and of proposing treatment solutions.

The Threats


One of the ways to define the basic criteria at the threat level is to define a probability scale which will depend on the context, as can be seen in the following example:

Basic threat criteria:

Level Comment Periodicity
1 Very unlikely: never happened, need for a high level of expertise, or very expensive to implement. > 30 years
2 Improbable: may have already occurred, a rare phenomenon or requiring a good level of expertise or costly to implement. > 10 years
3 May happen from time to time > 5 years
4 Very easy to implement, no investment or special expertise needed at least every years

The Vulnerabilities


By defining the basic criteria of vulnerabilities, we determine the ease of exploitation of vulnerabilities by threats.

Basic criteria for vulnerabilities:

Level Comment
0 Low vulnerability, effective measures are in place
1 Medium vulnerability, measures are in place but may be insufficient
2 High vulnerability, no effective protective measures are in place, or they are poorly adapted

The Impacts

To define the basic criteria of impacts, we use a categorisation of different levels of impact. These criteria can also be determined according to the security objective, i.e. in relation to confidentiality, integrity, or even in relation to the availability of the assets. See also the criteria for classifying assets with different scales. It is up to the organisation to choose its approach in risk analysis. The greater the maturity of the organisation, the more detailed the scales can be used.

Basic criteria for impacts:

Level Wording Financial losses (k€) Legal Image loss Social, Privacy Comment
1 Insignificant impact. < 1 Internal sanctions Occasional complaints Disclosure of insensitive personal data Incurs small fees, or will not be noticed externally
2 Minor impact 1 - 10 Legal actions Occasional media criticism Temporary damage to reputation Significant costs, visible from an external point of view
3 Serious impact 10 - 100 Conviction of the Authority Serious media criticism Serious damage to integrity or reputation Significant costs are incurred to address the situation
4 Vital impact > 100 International condemnation of the Authority Final alteration Loss of human life/Serious damage to reputation Major disturbance for the citizen, but there is no danger to the survival of the organisation

The Risk

Basic risk criteria:

Threat + Vulnerability
1 2 3 4 5 6
I M P A C T S 1 1 2 3 4 5 6
2 2 4 6 8 10 12
3 3 6 9 12 15 18
4 4 8 12 16 20 24

Here, we define a significant risk, which value is between 6 and 11 (orange area). These are risks that should be addressed.

Critical risks with a value greater than 12 (red zone) must be addressed. If an organisation turns out to have different levels of acceptance of confidentiality, integrity or availability risks, a specific security objective can be defined and different thresholds can be determined.