IT Risk assessment, four point scale

How to assess your Information Technology Risk? here is a simple guidance from Ernie Jordan and Luke Silcock in "Beating IT Risk": use a four point scale on each category. On Risk Level, Impact and Action.

All information assets need to be risk-assessed in a consistent way on the four dimensions of confidentiality, integrity, availability and compliance. Typically this will involve the asset first being identified and its owner determined. The owner will have responsibility for its classification but will be only one of several sources of requirements and specifications for risk assessment.

For example, the owner for an inventory price list may be the marketing director, who will be able to specify the base level of required confidentiality and availability. However, additional requirements for availability may be specified by the financial controller. Both would also have some input on integrity. Compliance requirements may be determined by the organization’s legal advisers. Risks need to be evaluated according to their impact on at least a four-point scale

Risk level: Low, Medium, High, Very High
Impact: Negligible, Limited, Significant, Severe or catastrophic
Action: Minimal, Basic, Major, Extreme

The threats that impinge upon information assets are not assessed here, but they are necessary inputs. The value of the assets and the impact of their being compromised determine the security arrangements that need to be put in place. In summary, security threat plus vulnerability equals risk. Lowering risk requires attention to threats and vulnerabilities