How the Risk Model Works
Overview
VISO TRUST evaluates third-party security risk using a model grounded in widely accepted industry practices. Our goal is to give you a transparent, consistent, and actionable understanding of both the inherent and residual risk your vendors https://visotrust.helpdocs.io/app/contentintroduce to your organization.
This article introduces the key concepts behind the model and what they mean for your assessments.
The Foundation
At the highest level, VISO TRUST calculates risk using an industry standard formula:
INHERENT RISK = IMPACT x LIKELIHOOD
Everything in our model flows from these two concepts. Let's break it down:
1. Impact: How Sensitive Is the Data?
Impact represents the severity of consequences if a vendor’s system or process were compromised.
VISO TRUST models impact using Data Sensitivity, based on the types of data your vendor handles. A few important notes:
- Data Sensitivity is ultimately a numeric value between 0 and 1.
- The maximum sensitivity of the data shared drives the impact score.
- Today, these sensitivities are displayed using labels like “Low,” “Medium,” and “High.”
We recognize that these labels can be confused with the final risk rating, but it is not the same thing as the output risk. We are improving this in an upcoming update.
Data Sensitivity answers the question:
“If a breach occurred, how bad could it be?”
2. Likelihood: How Likely Is an Incident? or in other words, what is the Threat Surface?
Likelihood models the probability that a security incident could occur.
In VISO TRUST, likelihood is driven by Threat Surface—factors related to how the vendor integrates with you, what systems they touch, how they host or process your data, and other contextual indicators.
Threat Surface is determined primarily through answers to your intake questions (formerly called “business cases”), such as:
- Does the vendor store customer data?
- Does the vendor have privileged access?
- Does the vendor operate a production environment?
These inputs help estimate how exposed the relationship is, again on a scale from 0 to 1.
Threat Surface answers:
“How likely is something to go wrong?”
Risk Before and After Controls
Every vendor receives two scores:
Inherent Risk
Risk before considering any security controls or protections the vendor has in place.
Residual Risk
Risk after accounting for the effectiveness of the vendor’s security controls.
Security controls allow us to measure how much risk reduction the vendor provides. Stronger, more effective controls translate to lower residual risk.
By default, VISO TRUST uses Security controls for calculating both inherent and residual risk. Additional control domains (e.g., privacy, compliance) can be incorporated using custom frameworks if your program requires more advanced modeling.
Control Mapping: How Threat Surface is determined
The set of controls that apply to an assessment is determined exclusively by your intake questions. Each control gets a weight from 0-4 which models the relative importance of controls in the overall framework.
- Intake questions = define the controls in scope or Threat Surface (aka "likelihood")
- Data types = determine maximum data sensitivity (aka "impact")
This separation ensures that impact, likelihood, and control strength are evaluated independently and consistently.
Below is the mapping of what controls come into scope for each business case:
Intake question | Control Domains in Scope | |
Data Storage | Personnel Security, Endpoint Security, Physical Security, Subservicers | |
Data Transfer | Secure Data Disposal, Multi-factor Remote Access, Personnel Security, Encrypted Communication Over Public Networks (in transit), Service Locations, Encryption of Customer Data (at rest), Information Security Incident Management Program, Third Party Management Program, Vulnerability Management Program, Penetration Testing, Security Awareness Training, Endpoint Security, Cyber Insurance, Data Subject Rights, Choice and Consent, Notification/Transparency Requirements, International Data Transfer Restrictions, Access Management Program, Physical Security, Data Processing Requirements, Privacy Risk and Governance Requirements, Privacy Awareness Training, Resilience, Subservicers, Sub-Processor Management, Transparency, Secure and Robust, Data Quality, Privacy Compliance, Fair and Unbiased, Accuracy | |
Network Connection | Multi-factor Remote Access, Personnel Security, Encrypted Communication Over Public Networks (in transit), Service Locations, Information Security Incident Management Program, Third Party Management Program, Vulnerability Management Program, Penetration Testing, Security Awareness Training, Endpoint Security, Access Management Program, Physical Security, Subservicers | |
Personnel Data Access | Personnel Security, Security Awareness Training, Privacy Awareness Training, Subservicers | |
Physical Access | Personnel Security, Subservicers | |
Software/Hardware Supplier | Multi-factor Remote Access, Personnel Security, Encrypted Communication Over Public Networks (in transit), Service Locations, Information Security Incident Management Program, Third Party Management Program, Vulnerability Management Program, Penetration Testing, Security Awareness Training, Endpoint Security, Access Management Program, Secure Development Lifecycle, Physical Security, Product Security, Subservicers, Transparency, Secure and Robust, Data Quality, Privacy Compliance, Fair and Unbiased, Accuracy |
Summary
VISO TRUST’s risk model is designed to be clear, defensible, and aligned with industry standards:
- Impact = how bad an incident would be
- Likelihood = how probable it is
- Inherent Risk = before controls
- Residual Risk = after controls
- Intake questions drive controls in scope
- Data types drive impact
- Control presence reduces risk
