...
When a questionnaire is created to discover underdeveloped business practices or find immature security policies, you can "weight" responses to automatically calculate risk when the questionnaire is returned. Potential risks are then placed into three categories - Based on thresholds you provide, returned questionnaires are placed in a category of low, medium and , or high, depending on the "weight" or number given to an answer. The higher the number, the higher the risk calculationsum of weights applied to individual questions. A higher number translates to higher risk.
Weighting a Questionnaire
...
- Enter a number between 1 and 10 in the Weight box with 1 being the least impact and 10 being the most impact. This is for the question itself and only applies to radio buttons and checkboxes. If It is up to your organization to determine the weight of each question. For weighting individual answers to the question, review the following:
- For each multiple choice option, enter a number in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
- The highest risk answer, which is Non-Existent. No defined information security program in the example, receives a multiplier = 2. (Question weight of 5 x multiplier of 2 = risk score of 10). This means great risk is identified.
- The medium risk answer, which is Ad-hoc. Some documented processes to capture infosec compliance in the example, receives a multiplier = 1. (Question weight of 5 x multiplier of 1 = risk score of 5). This means some risk is identified.
- The low risk answer, which is World class. Compliant with numerous infosec frameworks in the example, receives a multiplier = 0. (Question weight of 5 x multiplier of 0 = risk score of 0). This means no risk is identified.
- For each Yes/No or True/False question, enter a number in the Multiplier box of 0 or 1. By multiplying the weight x 0, no weight is applied, meaning this answer indicates no risk to your organization. By multiplying the weight x 1, the weight is applied, meaning this answer indicates risk to your organization.
- For each multiple choice option, enter a number in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
- Once all questions are weighted and multipliers added, you can establish the risk thresholds.
...