Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated screenshots


Live Search
spaceKeyZenGRCOnboardingGuide
additionalnone
placeholderSearch our site
typepage

Overview

...


When a questionnaire is created to discover underdeveloped business practices or find immature security policies, you can "weight" responses to automatically calculate risk when the questionnaire is returned. Based on thresholds you provide, returned questionnaires are placed in a category of low, medium, or high, depending on the sum of weights applied to individual questions. A higher number translates to higher risk. 

Weighting a Questionnaire


We recommend keeping weighting simple. And, since ZenGRC calculates certain numbers for you, it's best to finish weighting all questions prior to calculating thresholds.

Note
titleIMPORTANT

Questionnaire weighting can be done in any manner your organization chooses. This section documents two ways to weight in order to show how the functionality works.

Turning on Weighted


To turn on weighting, access the main, right-hand panel of the questionnaire and complete the following steps:

  1. Click the Weighted toggle. Green indicates weighting is on.

    Image Added

    Tip
    titleTIP

    Sometimes the right-hand panel to weight a survey is difficult to display if you've already started adding questions. If a question is highlighted, click on the question again to display the panel. Or click away from the questionnaire, such as in the scroll bar or on an empty area of the page, then select the question again.


First Way to Weight a Questionnaire


This example rates all questions a 1, with incremental multipliers differentiating the riskiest responses.

The following is an example of how to calculate the weight of questionnaire responses:

  1. Enter a 1 in the Weight box for the question itself. This applies to every question in your survey.
  2. For multiple choice questions, enter a number for each option in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
    1. The highest risk answer, which is Non-Existent Capability in the example, receives a multiplier of 6. (Question weight of 1 x multiplier of 6 = risk score of 6). This means great risk is identified.
    2. The lowest risk answer, which is World-class program in the example, receives a multiplier of 1. (Question weight of 1 x multiplier of 1 = risk score of 1). This means low risk is identified.

      Image Added

  3. Once all questions are weighted and multipliers added, you can establish the mid and high risk thresholds.

Second Way to Weight a Questionnaire


This example only adds weight to the most important radio button and checkbox questions. It leaves all others with a 0 weight. This is because responses to other questions need to be evaluated by your organization to decide risk. 

The following is an example of how to calculate the weight of questionnaire responses:

  1. Enter a number between 1 and 10 in the Weight box with 1 being the least impact and 10 being the most impact. This is for the question itself and only applies to radio buttons and checkboxes. It is up to your organization to determine the weight of each question. For weighting individual answers to the question, review the following:
    1. For each multiple choice option, enter a number in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
      1. The highest risk answer, which is Non-Existent. No defined information security program in the example, receives a multiplier = 2. (Question weight of 5 x multiplier of 2 = risk score of 10). This means great risk is identified.
      2. The medium risk answer, which is Ad-hoc. Some documented processes to capture infosec compliance in the example, receives a multiplier  = 1. (Question weight of 5 x multiplier of 1 = risk score of 5). This means some risk is identified.
      3. The low risk answer, which is World class. Compliant with numerous infosec frameworks in the example, receives a multiplier = 0. (Question weight of 5 x multiplier of 0 = risk score of 0). This means no risk is identified.

        Image Added

    2. For each Yes/No or True/False question, enter a number in the Multiplier box of 0 or 1. By multiplying the weight x 0, no weight is applied, meaning this answer indicates no risk to your organization. By multiplying the weight x 1, the weight is applied, meaning this answer indicates risk to your organization.
  2. Once all questions are weighted and multipliers added, you can establish the risk thresholds.

Determining Mid and High Risk Thresholds


No matter which way you weight your questionnaire, the calculations for the risk thresholds are the same. To access and rate the thresholds, complete the following steps:

  1. Click away from the highlighted question and then click any question again to display the right-hand panel where thresholds are calculated. This is also where the toggle for weighting a questionnaire resides.
  2. Use the auto-calculated Min score and Max score displayed in the panel as guidelines to establish the thresholds.

    Image Added

  3. In the panel, ZenGRC automatically calculates Min score and Max score numbers by multiplying the weights and multipliers on each question and adding the sum of all questions together. Calculations are completed as follows:
    1. Individual question weight x lowest multiplier. (1 x 1 = 1). Then the sum of all questions is added = Min score.
    2. Individual question weight x highest multiplier. (1 x 6 = 6). Then the sum of all questions is added = Max score.

      Image Added

  4. The Mid Risk Threshold box is the number where the overall risk rating is shifted from low to medium risk and is determined by you. However, it can be calculated as follows:
    1. The threshold needs to be greater than the Min score box. Since the minimum risk score is 15 in the example, the Mid Risk Threshold number must be 16 or higher
  5. The High Risk Threshold box contains the number where the overall risk rating is shifted from medium to high risk and is determined by you. However, one way to calculate it is as follows:
    • Max score - Min score. (90 - 15 = 75)
    • Divide that by two. (75 / 2 = 37.5)
    • Add the Min score. (37.5 + 15 = 52.5)
    • The High Risk Threshold number must be greater than 52.5.

      Image Added