CCS calculates the base risk score that is based on the technical assessments, user response to response assessment evidences, incidents, vulnerabilities and so on. The base risk score is a product of likelihood and impact.
Risk manager builds the risk aggregation and analytics logic over the base risk score. This is based on the following:
Importance of the assets across multiple dimensions and information classification.
Realistic ability to model risks.
Weights and compensating controls
Weight in terms of percentage, the compensating controls, and the compensation percentage.
The final risk score is calculated after applying the risk aggregation and analytics logic to the base risk score. The risk score is represented numerically on the scale of 1 to 10. 1 being the lowest and 10 being the highest.
Following are the types of risk scores:
Compensated risk score
Weighted controls risk score
Controls risk score
Weighted base risk score
Risk score with controls considers the controls that are defined at the security objective level. Base risk score considers all tests like threats, vulnerabilities, incidents, response assessment evidences, and technical assessments, irrespective of whether they are associated with a control or not.