Hello, reviewing allegro i think we got how it works (hopefully) , those of you that use can confirm please that:
- (IA) Impact Area is a classification applied to each asset (in eramba we define this at Asset Mgt / Settings / Classifications)
- (A) Impact is a classification applied to Asset Risks (in eramba we define this at Risk Mgt / Asset Risk Management / Settings / Classifications)
Then the math to calculate the risk score is multiplication of I x IA and then the sum of all those results. The documentation mentions the probability is an optional field - but if included , how is factored on the math?
I used as a reference "Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process" from 2007
Thanks - we'll put this and other risk related fixes on a single release once we complete workflows.