Hello, reviewing allegro i think we got how it works (hopefully) , those of you that use can confirm please that:

(IA) Impact Area is a classification applied to each asset (in eramba we define this at Asset Mgt / Settings / Classifications)

(A) Impact is a classification applied to Asset Risks (in eramba we define this at Risk Mgt / Asset Risk Management / Settings / Classifications)

Then the math to calculate the risk score is multiplication of I x IA and then the sum of all those results. The documentation mentions the probability is an optional field - but if included , how is factored on the math?

I used as a reference “Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process” from 2007

Thanks - we’ll put this and other risk related fixes on a single release once we complete workflows.

We use the Octave Allegro - using the margerit calculation:

we attach the Asset Classifications(Impact areas) with 1 value per impact area ranked per allegro method… the risk assesment then adds the Impact score to each impact area. (please see image)

the margerit calculation has likelihood as mandatory - hence we use it… it would simplify things if we didn’t have to take into consideration what the likelihood is of a risk being impacted. the likelihood evaluation is always a somewhat subjective that are hard to describe and provide documentation for.

Jonas,
So magerit and allegro are the same with the exception of the “likelihood” bit ? Would this mean that if we make the likelihood “optional” in magerit we would not need to add an additional risk method?
Sorry to bother, we just want to get it right.
Thanks!

well “the same” would be incorrect - but it is possible to use Octave Allegro using the magerit calculation yes.

making the likelihood field optional would make it more usable on a general level, reducing the need for documenting the method used for making subjective estimations.

so to answer the question - YES, making likelihood optional would make magerit compatible with Octave allegro (calculation wise)

The user classifies assets in “Impact Areas” (that is available already).

When an asset risk is created, based on the assets that were input eramba chooses the highest values for each Impact Area

For each Impact Area , the user selects Impact (or whatever the user wants to call that single classification under Risk Classifications)

For each Impact area, the user (OPTIONALLY) select Likelihood (or whatever the user wants to call that single classification under Risk Classifications)

So in the “Allegro” calculation settings, the user will tell eramba:

Which classification do you want to use for Impact? (mandatory)

Which classification do you want to use for likelihood? (optional)

I think we hold this as it was the same as “magerit” (i might be wrong here). The only piece that is sligthly different is the following in my understanding (and again, i might be wrong).

In magerit the “likelihood” will be one for all impacts , and Octave seems to let you do it that way OR set a likelihood per impact.