NMI LLC — RSK Risk Measurement

RSK is a process for continuous quantitative risk measurement. RSK has been used in thousands of security tests, risk assessments, and audits since NMI first introduced it in 1999.

RSK Improves Risk Management & Reduces Costs

• RSK can assess all forms of risk. RSK is a valuable tool for measuring information security and information technology risk, but it can also be used to measure operational, compliance, legal, reputational, financial, and all other forms of risk.

• RSK allows continuous risk management. Continuous risk management allows you to identify changes in risk that occur between traditional risk assessments.

• RSK risk assessments are accessible to all audiences. RSK measurements are instantly understandable to all audiences including the Board, management, technical personnel, and even line employees.

• RSK makes it easy to track risk over time. Because RSK is an automated process, results are objective, repeatable, and comparable. This allows you to track the progress of your risk management program over time.

• RSK allows you to compare your risk to your peers Any two (or more) organizations that use RSK can be directly compared. This makes it easy for you to see where you stand in relation to other organizations in your industry.

• RSK prioritizes and determines the cost-effectiveness of remedial actions. RSK supports "what if" scenarios that allow you to determine the likely impact of a control on your total risk equation. You can select and prioritize controls with confidence using RSK.

An RSK Example

The following chart depicts the actual RSK measurements of a real company over more than two years. The RSK measurements are color coded to correspond to the Department of Homeland Security's threat warning system.

Notice that the risk changes up and down over time. This is the result of two opposing forces, entropy and energy

• Entropy. Entropy is the tendency of risk to increase over time as new assets, threats, and vulnerabilities are added to the system.

• Energy. Energy is the money and effort you spend to improve your security, governance, risk management, and compliance. Adding energy counters the effects of entropy.

In the example, every increase in risk is due to entropy: a new asset is added, or a new threat or vulnerability arises. Every decrease in risk is due to the addition of energy: the company secures an asset, fixes a vulnerability, or updates controls to mitigate a threat.

How RSK Works

RSK reduces all the factors related to risk to easy-to-understand numeric values between 1 and 100. RSK risk measurements have some important properties:

• RSK measurements are consistent regardless of the scope of the assessment
• RSK measurements are repeatable
• RSK measurement can be compared
• RSK measurements can be statistically analyzed

RSK achieves these properties using a mathematical and algorithmic process based on the following assumptions:

• Worst case assumption. Your overall risk is never less than your single worst exposure. In other words, if you have ten low risk exposures, five medium risk exposures, and one high risk exposure, your overall risk is at least high.

• Multiple exposure assumption. Multiple exposures are worse than one exposure. In other words, if you have two high risk exposures your overall risk is greater than if you had only one high risk exposure.

• Diminishing impact assumption. While multiple exposures are worse than one exposure, each successive exposure has less of an impact on overall risk than the first exposure. In other words, if you have five high risk exposures your overall risk is greater than if you had only one high risk exposure, but not five times greater

RAPID, RSK, STORM, and TrustPath are trademarks of NMI LLC.