Question - Risk Magnifier on multiple Assets (due for r41)


The current consideration of the risk magnifier does not really make sense to me. Basically it’s a very good idea to add sort of a risk magnifier on legal liabilities to increase the visibility of risks relevant to compliance.
But I don’t like the way it works especially when multiple assets are involved.

e.g. I have a risk magnifier of 2 and a risk value of 4 (medium impact = 2, high probability = 3). When the risk affects 3 similar assets with this legal liabilty I already get a score of (2+3)*(2+2+2) = 30, whereas the same risk affecting one asset gets only a risk of 10.
I would prefer to have a risk indicator regardless of the number of assets, so that it shows just 10, even if 3 assets are affected. The risk is not bigger only because it affects more than one asset in my opinion.
Only other workaround would be to connect only one asset to a risk, but then my risk register starts to explode.

Maybe there will be some more flexibility anyway with the future integration of other risk models?

Yes, that is the logic works now. If i have a risk of “Loss of data due missing patches” , and my assets are “Linux Servers”, “Windows Servers” and “Workstations” eramba wants to tell the problem is bigger than if two assets would be affected.

I guess the way to work this out would be a flag on the “Calculation Settings” so you can use our current model or the one you suggest, makes sense?

Yes, we discussed about Allegro and we are adding another eramba calculation to multiply values, not just sum them. What calculation you need , can you share that bit?

ps. apologies for our delay, this weeks have been mad.

don’t ask me for risk calculations… we are still on a very basic level.
Before Eramba we just had impact x probability and a flag for compliance / legal liabilities plus manually considered the requirement on confidentiality, integrity and availability. I like the idea of a legal liability multiplicator but it should just be applied once, regardless of the number of assets I have connected to that risk, another option would be to just consider the c-i-a criteria together with the risk level per asset, I think this is something Allegro does. Need to dig deeper myself :slight_smile:

I documented this issue, not sure how visible it is:

It will add a new calculation method and make the “liabilities” thing optional.