Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Overview

Weighting-specific best practices:


Weighting a Questionnaire

When a questionnaire is created to discover risky business practices or find immature security policies, you can "weight" responses to automatically calculate risk when the response is received. Potential risks are then placed into three categories - low, medium and high, depending on the "weight" or number given to an answer. The higher the number, the higher the risk calculation. 

We recommend keeping weighting simple. And, since ZenGRC calculates certain numbers for you, it's best to finish weighting all questions prior to calculating low, medium and high thresholds.

IMPORTANT

Questionnaire weighting can be done in any manner your organization chooses. This section documents two ways to weight in order to show how the functionality works.

Turning on Weighted


  1. Make certain the Weighted toggle is on in the questionnaire.



  2. Select the question in the main window to display available configurations in the right-hand panel.

First Way to Weight a Questionnaire

The following is an example of how to calculate the weight of questionnaire responses:

  1. Add a 1 in the Weight box for the question itself. This applies to every question in your survey.
  2. If it is a multiple choice question, enter a number for each option in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk.
  3. Rate the highest risk answer, which is Non-Existent Capability in the example, with a multiplier of 6.
  4. Rate the lowest risk answer, which is World-class program in the example, with a multiplier of 1.



  5. Once all questions are weighted and multipliers added, return to the main panel by clicking the right scrollbar, then clicking a question again.
  6. In the right-hand panel, ZenGRC automatically calculates Min score and Max score numbers by using the weights and multipliers on each question. Calculations are completed as follows:
    1. Min score = Question weight x lowest multiplier. (1 x 1 = 1). Then total all questions.
    2. Max score = Question weight x highest multiplier. (1 x 6 = 6). Then total all questions.



  7. The Mid Risk Threshold box contains the number where the risk goes from low to medium risk. This is determined by you and can be calculated as follows:
    1. The threshold needs to be greater than the Min score box, which means the number in the Mid Risk Threshold should be 16 or higher in the example. When the calculated questionnaire responses reach this number, the responses are moved from low to medium risk.
  8. The High Risk Threshold box contains the number where the risk goes from medium to high risk. This is determined by you and can be calculated as follows:
    • Max score - Min score. (90 - 15 = 75)
    • Divide that by two. (75 / 2 = 37.5)
    • Add the Min score. (37.5 + 15 = 52.5)
    • The High Risk Threshold must be greater than 52.5.


Second Way to Weight a Questionnaire

This example only adds weight to the most important radio button and checkbox questions and leaves all others with a 0 weight.

Some pre-determinations to discover risky business practices or find immature security policies. The following shows how it is calculated:


  • Determine a range of weights to apply to answers that would negatively impact your organization's overall risk.
    • For example, use the range of 1-10 with 1 being the least impact and 10 being the most impact.  
    • Assign a weight of 1 to an answer that minimally impacts risk. Assign a weight of 10 for an answer with the greatest impact on risk.
  • Add a 1 in the Weight box. This is for the question itself and applies to radio buttons and checkboxes.
  • If it is a multiple choice question, enter a number for each option in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk.
  • Rate the highest risk answer, which is Non-Existent Capability in the example, with a multiplier of 6.
  • Rate the lowest risk answer, which is World-class program in the example, with a multiplier of 1.
  • Risk score for an individual question = weight x multiplier.  Thus, for Yes/No or True/False questions, assign multipliers of 0 or 1.  By multiplying the weight x 0, no weight is applied, meaning this answer to this question indicates no risk to your organization.  By multiplying the weight x 1, the weight is applied, meaning this answer to this question indicates risk to your organization.
    • Option 1:  Yes (Multipler = 0.  Thus, weight of 10 x multiplier of 0 = risk score of 0, meaning that by being SOC 2 compliant, no risk is identified.)
    • Option 2:  No (Multiplier = 1.  Thus, weight of 10 x multiplier of 1 = risk score of 10, meaning that by not being SOC 2 compliant, great risk is identified.)
    • For example, Question C.1 - Is your organization SOC 2 compliant?  (Assigned weight is 10, meaning that the answer to this question has the greatest impact on risk to my organization.)
  • Multipliers may be utilized to assess maturity as well, while keeping in mind pre-determined weight impact range.
    • Option 1:  Non-existent.  No defined information security program.  (Multipler = 2. Thus, weight of 5 x multiplier of 2 = risk score of 10, meaning that great risk is identified.)
    • Option 2:  Ad-hoc. Some documented processes to capture infosec compliance.  (Multipler = 1. Thus, weight of 5 x multiplier of 1 = risk score of 5, meaning that some risk is identified.)
    • Option 3:  World class.  Compliant with numerous infosec frameworks.  (Multipler = 0. Thus, weight of 5 x multiplier of 0 = risk score of 0, meaning that no risk is identified.)
    • For example, Question D.1 - How would you characterize your organization’s overall information security program? (Weight = 5)


  • Once all questions are weighted and multipliers added, return to the main panel where thresholds are automatically calculated by clicking the right scrollbar, then clicking a question again.
  • In the right-hand panel, ZenGRC calculates scores in the Min score and Max score text boxes using the weights and multipliers on each question. 

  • In the right-hand weighting panel, use the automatically calculated Min and Max scores (based on the sum of individual questions’ risk scores) to assist in designating Mid and High Risk Thresholds.



  • No labels

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com