Risk Taxonomy

The UML Profile for Risk Taxonomy supports the Open Group Standard for Risk Taxonomy (OR-T), Version 2.0, which provides support for modeling risk scenarios and analyzing the risk conditions.

Risk Taxonomy Toolbox

Elements

Icon	Description	See also
Asset Loss	Defines the loss on an asset to the organization (in terms of the assets's value/liability and volume). Tagged Values Liability/Value Volume Cost – The intrinsic value of the asset Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) LossFactor LossForm – Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation LossType – Primary, Secondary Sensitivity – Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability Legal Regulatory - The organization is bound by law to protect the information General - Disclosure of the information results in some form of loss
Assumption	Captures assumptions made in risk analysis. Tagged Values Rationale
Contact Frequency	The probable frequency, within a given timeframe, with which a threat agent will come into contact with an asset. Tagged Values ConfidenceLevel - Commonly expressed as a percentage MaximumLikelyValue MinimumLikelyValue Type – Random - The threat agent 'stumbles upon' the asset during the course of unfocused or undirected activity Regular - Contact occurs because of the regular actions of the threat agent Intentional - The threat agent seeks out specific targets
External Loss	Captures external loss factors. Tagged Values Factors – Event Detection, Legal and Regulatory, Competitors, Media, Other Stakeholders Cost Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) LossFactor LossForm – Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation LossType – Primary, Secondary Sensitivity – Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that can result when a loss event takes place Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability Legal Regulatory - The organization is bound by law to protect the information General - Disclosure of the information results in some form of loss
Loss	Captures loss that a threat can result in. Tagged Values Cost Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) LossFactor LossForm – Productivity, Response, Replacements, Fines and Judgements, Competitive Advantage, Reputation LossType – Primary, Secondary Sensitivity – Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases sensitivity represents liability Legal Regulatory - The organization is bound by law to protect the information General - Disclosure of the information results in some form of loss
Loss Event Frequency	The probable frequency, within a given timeframe, that a threat agent will inflict harm upon an asset. Tagged Values LossType ProbableFrequency - Probability is always is based on a timeframe (event X is 10% likely to occur over the next Y) Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) TimePeriod
Loss Magnitude	The probable magnitude of loss resulting from a loss event. Tagged Values LossType Rating - Severe (SV), High (H), Significant (Sg), Moderate (M), Low (L), VeryLow (VL)
Organizational Loss	Captures the loss to the organization. Tagged Values Factors – Timing, DueDiligence, Response, Detection Cost – T he intrinsic value of the asset Criticality – Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) LossFactor LossForm – Productivity - The reduction in an organization’s ability to generate its primary value proposition Response - Expenses associated with managing a loss event (such as internal or external person-hours, logistical expenses, legal defense and public relations expenses) Replacement - The capital expense associated with replacing lost or damaged assets Fines and Judgements - Legal or regulatory actions levied against an organization Competitive Advantage - Losses associated with diminished competitive position Reputation - Losses associated with an external stakeholder’s perception that an organization’s value proposition is diminished LossType – Primary, Secondary Sensitivity – Embarrassment/ Reputation - The information provides evidence of incompetent, criminal, or unethical management; note that this refers to reputation damage resulting from the nature of the information itself, as opposed to reputation damage that might result when a loss event takes place Competitive Advantage - The information provides competitive advantage (such as key strategies or trade secrets); of the sensitivity categories, this is the only one where the sensitivity represents value - in all other cases, sensitivity represents liability Legal Regulatory - The organization is bound by law to protect the information General - Disclosure of the information results in some form of loss
Probability of Action	The probability that a threat agent will act against an asset once contact occurs. Tagged Values ConfidenceLevel - Commonly expressed as a percentage LevelOfEffort - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) MaximumLikelyValue - T he threat agent’s maximum value proposition from performing the act MinimumLikelyValue - The threat agent’s minimum value proposition from performing the act MostLikelyValue - The threat agent’s perceived value proposition from performing the act RiskOfDetection/Capture - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
Resistance Strength	The strength of a control as compared to a baseline measure of force. Tagged Values ConfidenceLevel - Commonly expressed as a percentage LevelOfEffort - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL) MaximumLikelyValue MinimumLikelyValue MostLikelyValue Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
Risk Scenario	Defines the environment or situation that involves risk.
Risk	Defines an estimate of the probable frequency and magnitude of future loss Tagged Values Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
Risk Management Decision	The decision to mitigate the risk.
Threat	Defines the harm to an asset that a risk poses. Tagged Values ThreatScenario – Malicious, Error, Failure, Natural ThreatType – External, Internal
Threat Agent	The source that could inflict harm upon an asset. Tagged Values AccessMethod DesiredVisibility Motive Objective PersonalRiskTolerance Resources SkillRating Sponsorship ThreatType – External, Internal
Threat Capability	The probable level of force that a threat agent is capable of applying against an asset. Tagged Values ConfidenceLevel - Commonly expressed as a percentage MaximumLikelyValue - The maximum level of skills an attacker might have MinimumLikelyValue - The minimum level of skills that an attacker might have MostLikelyValue - The skill level of the most likely attacker Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
Threat Community	People associated with the conditions surrounding the asset at risk. Tagged Values ThreatType – External, Internal
Threat Event Frequency	The probable frequency, within a given timeframe, at which a threat agent will act against an asset. Tagged Values Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)
Threat Response	The action associated with managing a loss event. Tagged Values ResponsePercentage ResponseType – Containment - An organization’s ability to limit the breadth and depth of an event Remediation - An organization’s ability to remove the threat agent Recovery - The ability to bring things back to normal
Vulnerability	The probability that a threat event will become a loss event. Tagged Values Rating - Very High (VH), High (H), Moderate (M), Low (L), Very Low (VL)

Relationships

Icon	Description	See also
Affect	Represents an impact that a threat has on an asset.
Deny Access	Represents a relationship type of a threat to an asset.
Destruction	Represents loss on an asset, such as destruction or theft of a non-data asset.
Disclose	Represents an agent illicitly disclosing sensitive information.
Loss Flow	Represents mapping between losses.
Misuse	Represents unauthorized use of assets (such as identity theft, or setting up an illegal distribution service on a compromised server).
Modify	Represents unauthorized changes to am asset.
Unauthorized Access	Represents a simple unauthorized access relationship on an asset.