Multiplier on Preventative/Mitigative Risk Controls
Sometimes a mitigative control will not be as effectiveness as a preventative control (even though they are assigned the same Control Effectiveness). With the implementation of multiplier on Preventative/Mitigative Risk Controls, users can now set the weighting on those Risk Controls, i.e. making Mitigative Risk Control less important by reducing the multiplier to less than 1.
Solution: Preventative/Mitigative Control Multiplier
Navigate to the Configuration Editor, Register Policies > Controls and you will find two new options:
In this example, the multiplier for Mitigative Risk Control has been changed to 0.5. Applying this change will yield the Mitigative Risk Controls to have half the effectiveness as the Preventative Risk Controls (technically speaking, this is not true as this multiplier is a linear function and the effectiveness is based on logarithmic value).
After the recalculation, as the multiplier for Preventative Risk Control has not changed, the control effectiveness will still be the same. For the example below, the control effectiveness of “Medium” has a 1 order of risk reduction, changing the likelihood from “Likely” to “Possible” and this is a Preventative Risk Control.
With the same control effectiveness of “Medium”, however the incoming and outgoing likelihood for the Mitigative Risk Control are still the same, as there is a multiplier of 0.5 in the calculation.
This feature moves one step closer to having a valuable heuristic for the calculation of a control’s effectiveness based on its known parameters.