Geben Sie Ihren Benutzernamen und Ihr Passwort ein.

Kennwort vergessen?

Error in risk calculation?

Autor Nachricht
Verfasst am: 07. 03. 2017 [11:08]
Dabei seit: 06.09.2016
Beiträge: 11

I came across what i believe is an error in risk calculation.

For example:

An asset has Impact set at CIA: 1-1-1
A linked scenario to the asset has Threat and Vulnerability set at 1-1
A linked control to the asset modifies CIA with 2-1-2

I would expect the result to be:

Risk on asset after linking the scenario: 3-3-3
Risk on asset after applying control: 1-2-1

Instead the risk on asset after applying control in Verinice is: 2-2-2

It seems that Verinice FIRST reduces the risk by implementing the control and THEN increases the risk by linking the scenario. In this case:

Risk on asset after applying control: 0-0-0 (1-1-1 minus 2-1-2). The risk cannot be less than zero?
Risk on asset after linking the scenario: 2-2-2

It does not seem right but maybe i am missing the point here?

Verfasst am: 13. 04. 2017 [12:05]
Dabei seit: 05.08.2015
Beiträge: 77

In verinice you have two options to link controls. Depending on how you link this, you get a different result, that is so desired:

1. Linking to the asset:
This reduces Business Impact.

In your example:
Asset Business Impact CIA: 1-1-1
- Control: 2-1-2
Control reduces the Business Impact of the asset: 0-0-0 (since no negative values ​​are possible)

+ Scenario: 1-1 = 2
The values ​​from the scenario remain unaffected: 1-1 = 2

Results after applying: 2-2-2

2. Link to the Scenario:
This reduces the probability of the scenario.

In your example:
Scenario: 1-1 = 2
- Control: 2 (Here you must decide for a value as this affects the probability - and not CIA)
Control reduces the probability of the scenario: 0-0 = 0

+ Asset Business Impact CIA: 1-1-1
The values ​​from the asset remain unaffected: 1-1-1

Results after applying: 1-1-1

Note: On our youtube channel ( you will find many videos for the handling with verinice - including one for risk assessment (

Best regards
Your verinice team

English languageDeutsche Sprache
© SerNet GmbH, 2017