Question - Liabilities

Curious as to what folks are using as liabilities, as it relates to a US based international company?

I imagine creating one for GDPR, but I am wondering what other “Types” folks are using?

In eramba liabilities are used for the most part when using the risk modules, the reason is that liabilities have an attribute called “Magnifier”, its a number.

Liabilities can be linked to assets, third parties, etc … when you perform asset risk management and you select an asset, say “laptop” eramba will check what liabilities that asset has associated with them. it will then take the risk magnifiers of each one of them and include them on the math of the risk score.

ift the magnifier is set to zero, its not part of the equation.

so … what liabilities are? examples are on the risk management documentation: Risk Management - Google Docs

i hope this helps

For liabilities, can we use it to define the company division which the business units responsible for. I suppose that liabilities does not have any relationship with internal control and policy except for compliance, third parties and the asset/risk?

Can you help on my understanding on this?


Is better to use eramba by understanding how it works rather than guessing , my point here is that if your aim is doing risk management or compliance management then use those modules documentation to figure our how they work.

Risk module documentation:


the help button on every will help everyone to see what relationships exist (not always accurate)

Documentation is not always accurate, but most of the times it is , is impossible to use eramba or any other tool until one immerses a couple of hours into each module (there are 20+) and plays with them a bit.

Sorry forgot to address this one - correct !


Would you mind to share examples other than the list for liabilities that we can use in Eramba. Type of liabilities we can put into Eramba.



As Esteban mentioned, liabilities are risk magnifiers. They are used to highlight the inherent risk involved with a particular asset. For example, if your organization has to be PCI compliant, you might create a PCI liability. If you apply that to all assets involved in your cardholder data environment, it will increase the risk calculation related to those assets. As a further example, You could use this to increase risks for things that are more critical to your PCI compliance initiative… the lack of enduring protection might be risky for all assets, but is more risky for PCI scoped assets.

Examples of liabilities could be things like compliance requirements (ie, PCI, SOC, SOX, etc.) our contractual requirements (say a contract requirement with a key client/vendor).

Personally, I don’t use liabilities. I simply take the “liabilities” into account as I rate risk. Also, I create assets around known liabilities… “servers” vs “servers - PCI”. Not sure if this is the best solution, but it’s always worked for me.

I hope this helps.

1 Like