4. Risk Exposure

Likelihood Level

The risk exposure reflects a combined judgement based on likelihood and impact analyses. The likelihood analysis is scored via a combination of the aforementioned threat and vulnerability analysis score, as outlined in the figure below.

(Sources: NIST SP 800-161r1-udp1, p. 227)

Overall Risk Exposure

The risk exposure is then aggregated based on that likelihood score and the impact score. If multiple vulnerabilities are identified for a given product or service, each vulnerability shall be assigned a risk level based on its likelihood and impact.

Risk exposure.png

(Sources: NIST SP 800-161r1-udp1, p. 227)

Risk Based Decision

The aforementioned risk analyses and scoring provide measures by which the enterprise determines whether or not to proceed with procurement of the product, service, or supplier.

Decisions to proceed must be weighed against the risk appetite and tolerance across the tiers of the enterprise, as well as the mitigation strategy that may be put in place to manage the risks as a result of procuring the product, service, or supplier.

Likelihood Level​

Overall Risk Exposure​

Risk Based Decision​

Likelihood Level

Overall Risk Exposure

Risk Based Decision