Anyone who has studied for the CISSP exam knows that the "textbook" definition of risk scoring is Risk = Likelihood x Impact. Typically, the Likelihood and Impact values are represented by ordinal numbers, which are mapped to some qualified value. We then use a matrix to represent the intersection of these values in order to obtain a final risk score. Some organizations will use a 3x3 matrix. Some may use a 10x10. Here at SimpleRisk, we've seen just about every combination you could imagine in-between, but the most common scenario is a matrix with five Likelihood values and five Impact
As the Information Security Program Owner at National Instruments, I spent years contemplating the answer to a question that has been around since the dawn of "the cloud":
As the Information Security Program Owner at National Instruments, a $1.4B global enterprise, I've spent the past decade building a risk management program from the ground up. As I shared in my Founder's Story, I struggled in the early days with defining what our program would look like, and especially around the tooling I would use, but it wasn't long before I was able to demonstrate the value of risk management to the organization. SimpleRisk quickly became our de facto tool of choice and, as my knowledge increased and my co