Anyone who has studied for the CISSP exam knows that the "textbook" definition of risk scoring is Risk = Likelihood x Impact.  Typically, the Likelihood and Impact values are represented by ordinal numbers, which are mapped to some qualified value.  We then use a matrix to represent the intersection of these values in order to obtain a final risk score.  Some organizations will use a 3x3 matrix.  Some may use a 10x10.  Here at SimpleRisk, we've seen just about every combination you could imagine in-between, but the most common scenario is a matrix with five Likelihood values and five Impact

When I first released SimpleRisk as a free and open source risk management tool at the BSides Austin conference back in March of 2013, it was because I created something that was useful to me, in my risk management program, and I thought that it might prove useful to others as well.  At the time, the only options that I had were Excel Spreadsheets, which didn't scale, or purchasing a bloated and expensive GRC solution.  At the time, it was all of three PHP web pages: one to submit your risks, one to view and edit the risk you'd just submitted, and one to show you all of the risks in the sys

Subscribe to customization