Back to all activities

Creating a Risk Matrix


As part of SAFETAG's dedication to building agency and supporting organizational adoption of safer practices, a careful prioritization of vulnerabilities is invaluable in keeping audit results from appearing overwhelming. In addition, this component ranks the vulnerabilties identified using the risk-matrix developed with the host organization's staff. Using the host-created framework will allow for a deeper understanding of the impact of vulnerabilities and encourage greater investment in addressing them.


    • Treat the data and analyses of this step with the utmost security.
    • Use VPNs or Tor to search if conducting the search from a country that is highly competitive with the organization’s country, or is known to surveil.


    Identify and rank vulnerabilities

    • Identify the possible impact of the vulnerability.
    • Identify any threats to critical process' the vulnerability makes possible.
    • Identify the process with the greatest impact if interrupted.
    • Identify the possibility of exploitation.
    • Identify the level of resources required to exploit the vulnerability.
    • Compare the resources required against the capabilities identified in the risk modeling activities and the contextual research you completed.

    Build a vulnerability/likelihood matrix

    • Position the vulnerability on the risk matrix in relation to its likelihood and its impact.

    Risk vs Difficulty

    Risk vs Likelihood

    Create a risk matrix

    • Place impacts against a range of likelihood.
    • Clean up critical process maps for use in reporting.
    • Create a list of all services or assets that were identified during the activity that were not already known by the auditor.

    Impact vs Severity