Using the Likert Scale to Assess Risk
I've always thought this type of an impact/probability chart is a bit simplistic and doesn't really give you enough granularity to make the best, informed decisions. Instead, I use a variation based on the Likert Scale. In the 1930s, psychologist Rensis Likert developed a way to measure attitudes consisting of either a 5 or 7 point scale - 7 points gives you a higher degree of accuracy.
You don't need to be a math or stats-guru to use a Likert Scale, it's actually quite simple to implement and understand (an especially good feature when explaining the rationale for security decisions to management). For risk assessment, here's how it works.
For probability, use the following ratings:
1 - Very improbable
2 - Improbable
3 - Somewhat improbable
4 - Neither probable or improbable
5 - Somewhat probable
6 - Probable
7 - Very probable
For impact, use these ratings:
1 - Very insignificant if it happens
2 - Insignificant if it happens
3 - Somewhat insignificant if it happens
4 - Neither significant or insignificant if it happens
5 - Somewhat significant if it happens
6 - Significant if it happens
7 - Very significant if it happens
Take the rating values for a possible incident and multiple them together. For example, let's say the potential of someone stealing office supplies at a large NGO's HQ is probable (6) but insignificant (2). That gives the incident a value of 12.
Compare that to the potential of a staff member being abducted in a certain conflict zone. Let's say it's somewhat probable (5) and very significant (7) if it happens. This incident tallies up as a 35.
The higher the number, the more time and effort you should devote toward preventative and contingency measures.
You can make this particular Likert Scale even easier to use by multiplying the total by two. When we multiple probability by impact we start out with a possible range of values from 1 to 49. If we multiple by two, the range then goes from 2 to 98, which is close to the familiar 1 to 100 scale. From a cognitive standpoint it's easier for someone to relate to a score of 24 for the pencil thief incident and 70 for the more dire abduction scenario.
You can get good quantitative results quite quickly by plugging the numbers into a spreadsheet and then sorting after you're finished.
It's worthwhile to mention that two heads are better than one (usually), and it's useful to have several people that are knowledgeable about the operating environment work up incident ratings. You can either go for a consensus view or simply take the average of the different responses and use that as your rating.
Give the Likert Scale a try and see if it works for you.