Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Overview

When a questionnaire is created to discover risky business practices or find immature security policies, you can "weight" responses to automatically calculate risk when the response is returned. Potential risks are then placed into three categories - low, medium and high, depending on the "weight" or number given to an answer. The higher the number, the higher the risk calculation. 

Weighting a Questionnaire

We recommend keeping weighting simple. And, since ZenGRC calculates certain numbers for you, it's best to finish weighting all questions prior to calculating thresholds.

IMPORTANT

Questionnaire weighting can be done in any manner your organization chooses. This section documents two ways to weight in order to show how the functionality works.

Turning on Weighted

To make a questionnaire weighted, complete the following steps:

  1. Click the Weighted toggle. Green indicates weighting is on.

    TIP

    Sometimes the right-hand panel to weight a survey is difficult to display. If a question is highlighted, click away from the questionnaire, such as in the scroll bar, then select a question again.


First Way to Weight a Questionnaire

This example rates all questions a 1, with incremental multipliers differentiating the riskiest responses.

The following is an example of how to calculate the weight of questionnaire responses:

  1. Enter a 1 in the Weight box for the question itself. This applies to every question in your survey.
  2. For multiple choice questions, enter a number for each option in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
    1. The highest risk answer, which is Non-Existent Capability in the example, receives a multiplier of 6. (Question weight of 1 x multiplier of 6 = risk score of 6). This means great risk is identified.
    2. The lowest risk answer, which is World-class program in the example, receives a multiplier of 1. (Question weight of 1 x multiplier of 1 = risk score of 1). This means low risk is identified.



  3. Once all questions are weighted and multipliers added, you can establish the mid and high risk thresholds.

Second Way to Weight a Questionnaire

This example only adds weight to the most important radio button and checkbox questions. It leaves all others with a 0 weight. This is because responses to other questions need to be evaluated by your organization to decide risk. 

The following is an example of how to calculate the weight of questionnaire responses:

  1. Enter a number between 1 and 10 in the Weight box with 1 being the least impact and 10 being the most impact. This is for the question itself and only applies to radio buttons and checkboxes. For the individual answers, review the following:
    1. For each multiple choice option, enter a number in the Multiplier box starting with 1 for the lowest risk and continuing consecutively. The highest number represents the most risk as follows:
      1. The highest risk answer, which is Non-Existent. No defined information security program in the example, receives a multiplier = 2. (Question weight of 5 x multiplier of 2 = risk score of 10). This means great risk is identified.
      2. The medium risk answer, which is Ad-hoc. Some documented processes to capture infosec compliance in the example, receives a multiplier  = 1. (Question weight of 5 x multiplier of 1 = risk score of 5). This means some risk is identified.
      3. The low risk answer, which is World class. Compliant with numerous infosec frameworks in the example, receives a multiplier = 0. (Question weight of 5 x multiplier of 0 = risk score of 0). This means no risk is identified.



    2. For each Yes/No or True/False questions, enter a number in the Multiplier box of 0 or 1.By multiplying the weight x 0, no weight is applied, meaning this answer indicates no risk to your organization. By multiplying the weight x 1, the weight is applied, meaning this answer indicates risk to your organization.
  2. Once all questions are weighted and multipliers added, you can establish the mid and high risk thresholds.

Determining Mid and High Risk Thresholds

No matter which way you weight your questionnaire, the calculation for the mid- and high-risk thresholds is the same. To access and rate the thresholds, complete the following steps:

  1. Click away from the highlighted question and then click any question again to display the right-hand panel where thresholds are calculated.
  2. Use the auto-calculated Min score and Max score displayed in the panel to establish the thresholds, which needs to be calculated by your organization.



  3. In the panel, ZenGRC automatically calculates Min score and Max score numbers by multiplying the weights and multipliers on each question and adding all questions together. Calculations are completed as follows:
    1. Individual question weight x lowest multiplier. (1 x 1 = 1). Then the sum of all questions is added = Min score.
    2. Individual question weight x highest multiplier. (1 x 6 = 6). Then the sum of all questions is added = Max score.



  4. The Mid Risk Threshold box contains the number where the overall risk rating goes from low to medium risk and is determined by you. However, it can be calculated as follows:
    1. The threshold needs to be greater than the Min score box. So following the example, enter a number of 16 or higher in the Mid Risk Threshold
  5. The High Risk Threshold box contains the number where the overall risk rating goes from medium to high risk and is determined by you. However, it can be calculated as follows:
    • Max score - Min score. (90 - 15 = 75)
    • Divide that by two. (75 / 2 = 37.5)
    • Add the Min score. (37.5 + 15 = 52.5)
    • The High Risk Threshold must be greater than 52.5.

  • No labels

© 2021 Copyright Reciprocity, Inc.
https://reciprocity.com