Understanding Cybersecurity Risk
Using the CIS Risk Analysis Method (RAM): Risk = Expectancy × Impact
Cybersecurity risk isn’t just a technical concern—it’s a business concern. Using the CIS RAM (Center for Internet Security Risk Assessment Method), we assess risk in a simple, structured way so leaders can make informed decisions.
Expectancy
Expectancy is the likelihood that a cybersecurity threat will occur. We calculate this by evaluating two key indicators:
- CVSS (Common Vulnerability Scoring System): Rates how severe and exploitable a vulnerability is.
- EPSS (Exploit Prediction Scoring System): Predicts how likely a vulnerability is to be exploited in the wild.
Although the EPSS score is originally on a scale of 0.0 to 1.0, we convert it to a 1–5 scale to align with the CIS RAM model and keep the risk calculation simple and intuitive.
EPSS (0.0–1.0) is mapped to the CIS RAM-style 1–5 Expectancy score:
| EPSS Range | Expectancy Score | Description |
|---|---|---|
| < 0.1 | 1 – Not foreseeable | There is no known exploit activity and no signs of interest. Extremely unlikely to occur. |
| 0.1–0.29 | 2 – Foreseeable | Could occur under special conditions, but limited likelihood in our environment. |
| 0.3–0.49 | 3 – Possible | Exploit is somewhat likely; threat actors may attempt it if opportunity presents itself. |
| 0.5–0.79 | 4 – Likely | Exploitation is likely under current circumstances or based on historical trends. |
| 0.8–1.0 | 5 – Could be happening now | Threat is active, highly likely, or already observed. Immediate concern. |
The higher the Expectancy, the more likely the risk is to materialize.
Impact
If it happens, how bad will it be?
Impact reflects the potential damage a threat could cause. We evaluate the consequences across three business areas:
- Impact to Mission – Will it disrupt our core purpose?
- Impact to Operational Objectives – Will it delay or stop key services or workflows?
- Impact to Obligations – Will it cause us to break legal, contractual, or ethical commitments?
Examples of Impact:
- Financial loss (e.g., cost of downtime or ransomware payments)
- Time required to resolve the incident
- Manpower and resources spent on recovery
- Long-term damage to reputation and customer trust
| Score | Level | Description |
|---|---|---|
| 1 - Negligible | Minimal disruption | Brief slowdown, no long-term effect |
| 2 - Minor | Small operational nuisance | Temporary hiccup, easy to fix |
| 3 - Significant | Noticeable business impact | Revenue loss, service delay, employee frustration |
| 4 - Major | Severe disruption | Service outages, lost contracts, public customer impact |
| 5 - Catastrophic | Critical and lasting damage | Legal penalties, major reputational harm, business closure |
Final Risk Score
To calculate the final Risk Score, we multiply:
Risk = Expectancy × Impact
Each component is scored from 1 to 5:
- Expectancy reflects how likely a threat is, based on the severity of a known vulnerability (CVSS) and the probability it will be exploited (EPSS).
- Impact represents how severe the consequences would be if the risk actually happened.
Example 1:
A threat that is Likely (Expectancy = 4) and would cause Major damage (Impact = 4) would have a Risk Score of 16.
→ Risk Score = 4 × 4 = 16
Example 2:
A threat that is Not foreseeable (Expectancy = 1) and would only have a Minor effect (Impact = 2) would have a Risk Score of 2.
→ Risk Score = 1 × 2 = 2
How to Use the Risk Score
The Risk Score helps prioritize cybersecurity risks in a clear, business-focused way:
| Risk Score | Risk Level | Recommended Action |
|---|---|---|
| 1–5 | Low | Monitor, document, but no urgent action needed. |
| 6–10 | Moderate | Consider mitigation where cost-effective. |
| 11–15 | Elevated | Plan to address in the near term. |
| 16–20 | High | Prioritize for mitigation with appropriate controls. |
| 21–25 | Critical | Immediate action required to reduce risk. |
By scoring and ranking risks this way, executive teams can make informed, risk-based decisions on where to invest time, budget, and resources for cybersecurity controls.
Cybersecurity Risk Assessment Example
Impact Level (assumed): 3 – Moderate
Risk Calculation Table (Moderate Impact)
| CVE ID | CVSS Score | EPSS Score | Expectancy Level | Impact Level | Final Risk Score |
|---|---|---|---|---|---|
| CVE-2023-23397 | 9.8 | 0.8673 | 5: Could be happening now | 3 | 15 |
| CVE-2023-27350 | 9.8 | 0.9687 | 5: Could be happening now | 3 | 15 |
| CVE-2023-23831 | 6.5 | 0.0005 | 1: Not foreseeable | 3 | 3 |
| CVE-2023-24397 | 4.8 | 0.0004 | 1: Not foreseeable | 3 | 3 |
| CVE-2023-23987 | 5.9 | 0.0005 | 1: Not foreseeable | 3 | 3 |
