Process 4: Establish Criteria that will be used to Evaluate Threats, Vulnerabilities and Controls
Step 1: Determine the criteria to establish for evaluating threat probability and impact.
Before starting Phase 1, establish the criteria that will be used to evaluate the probability that each threat identified in Process 3, Step 1 will exploit an asset vulnerability and the institutional impact if the exploit is successful. The evaluation criteria established in this step will be used in Phase 1 to collect information about relevant threats to the institution's critical IT assets.
As the institution examines threats, threat agents and motives, it will make decisions about the relative probability and impact of the threats. Grouping threat probability and impact evaluations will simplify both data collection and analysis. Due to resource limitations, an institution will likely address only the most likely threats and those with the greatest impact. Therefore, it makes sense to limit the number of threat probability and impact evaluation groups to no more than five, but at least two. Three groups are usually sufficient.
Here is an example of evaluation groups for threat probability:
Probable |
Possible |
Unlikely or Not Applicable |
Threat agent and motive exist and will likely exploit a vulnerability. |
Threat agent and motive exist, but are not likely to exploit a vulnerability. |
Threat agents and motives are nonexistent or rare, so little or no threat danger exists. |
Impact should be considered for any threat that is possible or probable. Relating threat impact to the institution's academic and business goals will help those evaluating risk. Common goals for educational institutions include:
- Education
- Research
- Extension
- Enrollment
- Donations
- Grants
- Scholarships
- Intellectual property
- Excellence
- Productivity
Here is an example of evaluation groups for threat impact:
Significant |
Moderate |
Low |
If the threat exploits a critical asset vulnerability, it could have a major impact on the academic or business goals of the institution. |
If the threat exploits a critical asset vulnerability, it could have a noticeable, but not significant, impact on the goals of the institution. |
If the threat exploits a critical asset vulnerability, the impact on the goals of the institution will be negligible or non-existent. |
#Top of page
Process 4: Establish Criteria that will be used to Evaluate Threats, Vulnerabilities and Controls
Step 2: Determine the criteria to establish for evaluating vulnerabilities and the implementation status of controls that protect against vulnerabilities.
Before starting Phase 1, establish the criteria that will be used to evaluate vulnerabilities and controls that were identified in Process 3, Step 2. The evaluation criteria established in this step will be used in Phase 1 to collect information about relevant vulnerabilities and controls to the institution's critical IT assets.
The evaluation of vulnerabilities is binary - they either exist or they do not. Risk levels attributed to vulnerabilities by other risk analysis tools are actually a reflection of threat. For example, a software vulnerability that could result in privileged access might be called a high risk vulnerability because a malicious individual (motivated threat agent) might easily exploit (threat probability) the vulnerability resulting in significant (threat) impacts such as unauthorized access to confidential information, disruption of critical services, or destruction or modification of important information. This framework does not rank vulnerabilities, and instead ranks comprehensive risk profiles built from all aspects of risks as you will see later in this framework.
As the institution examines controls, it will make decisions about the relative status of safeguards implemented to protect critical IT assets. Grouping the evaluations of control status will simplify both data collection and analysis. Due to resource limitations, an institution will likely address only the least protected assets. Therefore, it makes sense to limit the number of vulnerability evaluation groups to no more than five, but no less than two. Three categories are usually sufficient.
An example of valuation groups for the status of controls are provided here:
Not Protected |
Protected |
Not Applicable |
Unsure |
Adequate controls are not implemented to safeguard the vulnerability from likely or high impact threats. |
Adequate controls are implemented to safeguard the vulnerability from likely or high impact threats. |
Threats against the vulnerability are not likely, will not have significant impact, or do not exist. |
It is not known if the vulnerability is protected. |
#Top of page
Previous process, last step: Phase 0, Process 3, Step 2
Next process, first step: Phase 1, Process 1, Step 1
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).