Frequency Risk Factors

Risk Factors are estimable values that are correlational but may not be directly causal to the risk. An increase in a risk factor may not directly drive an increase in the risk but is indicative of an increase of the risk and will be useful for better informing expert estimation of the overall risk. A positively correlated risk factor increases as the risk increases.

Frequency risk factors are relevant to the estimation of the frequency, or likelihood, by which a risk is expected to occur.

External Frequency Risk Factors

External Frequency Risk Factors are risk factors that are outside of your scope of control that may affect frequency of the risks you manage.

These are stated as questions to ask yourself or your organisation. The ability to estimate or measure these risk factors will vary between organisations.

• Will an attacker attack us?
• Will an attacker attack our supplier/s?
• Does an attacker have the ability to attack us?
• Are there any hacking campaigns targeting our sector?
• Are there any hacking campaigns targeting our geography?
• Are the tools / knowledge required to attack us readily available?
• Has there been any change in staff stressors (financial, emotional, medical, etc)?
• Have any of the suppliers we trust been compromised?
• How easy is it to impersonate our suppliers’ staff or company?
• How aware of security are our suplliers’ staff?
• How quickly do our suppliers patch their systems?
• Do our suppliers have effective governance of security?

Internal Frequency Risk Factors

Internal Frequency Risk Factors are risk factors that are within your scope of control and that may affect the frequency of the risks you manage. These are factors that can be subject to an internal control.

• Will an attacker be successful a exploiting a vulnerability?
• How many software or architecture flaws do we have in our code or systems?
• How many unpatched and unmitigated vulnerabilities are there in third-party software we rely upon?
• How quickly can we patch software flaws in our systems?
• How many unsupported systems do we operate?
• How many suppliers do we trust?
• How exposed are our systems to exploitation?
• How quickly does our movers and leavers processes, for our Identity & Access Management, operate?
• How aware of security are our staff?
• How easy is it to impersonate our staff or our company?
• How often do we assure the effectiveness of our security controls and processes?
• Can we detect changes in staff stressors (financial, emotional, medical etc) and intervene effectively?
• Do our security staff have appropriate training and skills?
• Do we have enough security staff to meet our needs?