Risk Scoring
Not all threats are equal. Risk scoring helps you prioritise which threats to fix first by combining two dimensions: how likely the threat is to be exploited, and how severe the outcome would be.
The Risk Formula
Risk Score = Likelihood × ImpactBoth Likelihood and Impact are scored on a 1–5 scale. The resulting score (1–25) determines the risk level.
| Score | Risk Level |
|---|---|
| 20–25 | Critical — Require immediate remediation |
| 12–19 | High — Address in the current sprint or release |
| 6–11 | Medium — Plan for the next quarter |
| 3–5 | Low — Track and review periodically |
| 1–2 | Informational — Acknowledge and monitor |
Likelihood
Likelihood measures how probable it is that a threat will be successfully exploited against your system.
| Score | Label | Guidance |
|---|---|---|
| 1 | Very Low | Requires nation-state-level capability; no known exploit exists |
| 2 | Low | Requires significant expertise and targeted effort |
| 3 | Medium | Known vulnerability class; tools available; moderate skill required |
| 4 | High | Easily exploitable using publicly available tools |
| 5 | Very High | Already being actively exploited; trivial to attempt |
Factors That Increase Likelihood
- The vulnerability is public knowledge (CVE, bug bounty, writeup)
- The attack is fully automated (credential stuffing bots, scanners)
- The system is internet-facing with no authentication layer
- The attacker has insider knowledge or access
Factors That Decrease Likelihood
- The vulnerability requires physical access or an insider threat
- The system is not publicly accessible (internal-only, VPN-gated)
- Multiple independent defences must be bypassed
- The attack requires custom tooling and significant skill
Impact
Impact measures how severe the consequences would be if the threat were successfully exploited.
| Score | Label | Guidance |
|---|---|---|
| 1 | Negligible | Minimal disruption; no sensitive data exposed; fully recoverable |
| 2 | Minor | Limited impact on a small number of users; no regulatory breach |
| 3 | Moderate | Significant disruption or data exposure for some users; possible regulatory notification |
| 4 | Major | Large-scale data breach or outage; regulatory penalties; significant reputational damage |
| 5 | Critical | Catastrophic — business-threatening breach, complete system compromise, or safety impact |
Factors That Increase Impact
- Sensitive personal data (PII, health records, financial data) is exposed
- The breach affects all users, not just a subset
- The system is critical infrastructure (payment processing, healthcare, utilities)
- Recovery requires significant time or cost
- Regulatory fines, legal liability, or public disclosure are required
Factors That Decrease Impact
- Data is anonymised or pseudonymised before storage
- Backups allow rapid recovery
- Affected functionality can be isolated and shut down
- Only non-sensitive, non-personal data is exposed
Risk Acceptance
Not every risk will be mitigated. Teams can choose one of four responses to each identified threat:
| Response | When to Use |
|---|---|
| Mitigate | Implement a control to reduce likelihood or impact |
| Accept | Risk is within the organisation’s risk appetite; no action taken |
| Transfer | Move the risk to a third party (insurance, outsourcing) |
| Avoid | Remove the feature or capability that introduces the risk |
Risk acceptance should be an explicit, documented decision — not the default outcome of not getting around to fixing something.
Prioritisation in Practice
When you have many threats, use the risk score to prioritise. A practical approach:
- Fix Critical and High risks immediately — these represent clear and present danger
- Plan Medium risks — address in the next sprint cycle or quarterly planning
- Track Low risks — add to the security backlog; re-evaluate periodically
- Document accepted risks — ensure a responsible person has consciously accepted them
Threat counts at each severity level can be found in the Final Report section of the threat modelling tool.
Limitations of Quantitative Scoring
The 1–5 scales are subjective. Two analysts scoring the same threat may arrive at different numbers. This is normal and expected.
The value of scoring is not precision — it’s relative prioritisation. A threat scored 20 should receive more attention than one scored 6, regardless of whether those exact numbers are correct.
For more rigorous quantitative risk analysis, consider FAIR (Factor Analysis of Information Risk) for high-stakes decisions.