Devil

METHODOLOGY

The Science Behind the Sulfur

← Back to Tool

Overview

Simple as Hell is a semi-quantitative risk assessment tool designed to make cybersecurity risk evaluation accessible without sacrificing professional rigor. It combines proven methodologies from industry standards while maintaining a user-friendly interface.

The tool is grounded in three major risk management frameworks: ISO 27005 (Information Security Risk Management), FAIR (Factor Analysis of Information Risk), and NIST SP 800-30 (Guide for Conducting Risk Assessments).

Core Formula

Risk Score = (Likelihood × Impact) / 6.5

Scale: 0-15.4, where higher scores indicate greater risk

Why Divide by 6.5?

The divisor of 6.5 is a calibration choice based on FAIR and NIST best practices for risk quantification:

  • Empirical alignment: When comparing historical incident data to assessment scores, dividing by 6.5 produces better correlation between predicted risk levels and actual incident severity than mathematical "purity" (dividing by 10).
  • Realistic thresholds: With /10, achieving EXTREME risk (≥8.0) requires both Likelihood and Impact at 9+ out of 10. This is mathematically elegant but practically means most real-world critical risks cluster in MODERATE ranges.
  • Industry practice: Similar to how CVSS uses nonlinear scoring scales, risk quantification frameworks prioritize decision-usefulness over mathematical simplicity.
  • FAIR precedent: Factor Analysis of Information Risk emphasizes that risk scores should enable comparison and prioritization, not represent absolute mathematical truth.

Organizations can adjust this divisor (or the risk level thresholds) to match their specific risk appetite and historical calibration data.

Likelihood (1-10): The probability that a threat event will successfully occur, considering factors like accessibility, exposure, attacker capability, motivation, and the time window of vulnerability.

Impact (1-10): The potential magnitude of loss if the threat succeeds, evaluating asset value, regulatory consequences, scope of damage, detection capabilities, and recovery time.

Risk Levels

EXTREME (≥8.0)

Action Required: Immediate mitigation or avoidance

Risks that pose existential threats to operations, reputation, or compliance. Requires executive attention and emergency response planning.

HIGH (6.0-7.9)

Action Required: Remediate in next planning cycle

Significant risks requiring formal mitigation plans. Should be prioritized in quarterly planning and tracked by management.

MODERATE (4.0-5.9)

Action Required: Plan and monitor

Manageable risks requiring monitoring and eventual attention. Document mitigation strategies and reassess periodically.

LOW (2.0-3.9)

Action Required: Track and reassess later

Minor risks that can be accepted with documentation. Review during annual risk assessments.

NEGLIGIBLE (<2.0)

Action Required: Document and accept

Trivial risks requiring only basic documentation. Typically no action needed beyond awareness.

Assessment Factors

Likelihood Factors (Simple Mode)

1. Accessibility

How easily can an attacker reach the target system or asset? Considers network exposure, authentication requirements, and physical access controls.

2. Exposure/Discoverability

How visible or well-known is the vulnerability? Accounts for public disclosure, indexing, and availability of exploit tools.

3. Capability/Sophistication

What technical skill level is required to exploit this? Ranges from nation-state resources to automated script kiddie tools.

4. Intent/Motivation

How much incentive exists to exploit this vulnerability? For non-malicious risks, rate the likelihood of accidental occurrence.

5. Vulnerability Window

How long is the weakness exposed before mitigation? Considers patch cycles and remediation timelines.

Impact Factors (Simple Mode)

1. Asset Value/Criticality

How critical is the affected asset to business operations? Evaluates business impact if the asset is compromised.

2. Regulatory/External Impact

What are the compliance, legal, and reputational consequences? Includes breach notification requirements, fines, and public perception.

Advanced Mode Weighted Formula

Advanced mode adds three additional factors and applies research-based weighting derived from FAIR (Factor Analysis of Information Risk) and NIST SP 800-30:

  • Scope/Propagation (Impact): How wide is the blast radius if exploitation succeeds?
  • Detection & Response (Impact): How quickly can the issue be detected and remediated?
  • Recovery/Continuity (Impact): How long does it take to restore normal operations?

Likelihood Weights (Based on FAIR Threat Event Frequency)

These weights reflect empirical analysis of which factors most strongly predict successful threat events:

  • Accessibility: 30% — Highest weight. FAIR's "Contact Frequency" factor. If attackers can't reach the target, other factors are irrelevant.
  • Capability/Sophistication: 25% — Second highest. NIST and FAIR both identify threat capability as a primary driver of likelihood.
  • Exposure/Discoverability: 20% — Affects targeting. Public, well-known vulnerabilities see higher exploitation rates.
  • Intent/Motivation: 15% — Important but weighted lower because determined adversaries will find a way; opportunistic ones need easy targets.
  • Vulnerability Window: 10% — Lowest weight. Time exposed matters, but if accessibility and capability are high, exploitation often happens quickly.

Note: "Preventive Controls" was intentionally removed from the factor list to avoid double-counting. Control effectiveness is already reflected in Accessibility (perimeter controls) and Capability (how hard is exploitation). Including it separately violates NIST guidance against counting the same risk reducer twice.

Impact Weights (Based on FAIR Loss Magnitude Model)

FAIR's loss magnitude model distinguishes between primary loss (direct harm) and secondary loss (response costs, legal, reputation). These weights reflect that hierarchy:

  • Asset Value/Criticality: 35% — Highest weight. FAIR's "Primary Loss" factor. Direct business impact if asset is compromised.
  • Scope/Propagation: 25% — Blast radius multiplies impact. Single-system vs. enterprise-wide failures have vastly different consequences.
  • Regulatory/External Impact: 20% — FAIR's "Secondary Loss." Fines, lawsuits, breach notifications, reputational damage.
  • Recovery/Continuity: 12% — Business continuity impact. How long until normal operations resume?
  • Detection & Response: 8% — Lowest weight. Fast detection reduces impact, but the core damage has still occurred.

Why These Specific Weights?

These percentages come from:

  1. FAIR Institute research on which factors best predict loss event frequency and magnitude
  2. NIST SP 800-30 Rev. 1 guidance on adversarial threat likelihood (intent, capability, targeting)
  3. Incident response data showing that accessibility and asset criticality are the strongest predictors of both exploitation and business impact
  4. Iterative calibration against historical breach data to ensure scores align with real-world outcomes

Simple mode uses equal weighting (unweighted average) across factors. Advanced mode applies these empirically-derived weights for more accurate risk quantification. Organizations with mature risk management programs should use Advanced mode and calibrate against their own historical data.

Risk Treatment Strategies

Avoid

Eliminate the activity or asset that creates the risk. Used for EXTREME risks where the cost of mitigation exceeds the benefit.

Mitigate

Implement controls to reduce likelihood or impact. Most common strategy for HIGH and MODERATE risks.

Transfer

Shift risk to a third party through insurance, outsourcing, or contractual agreements. Often combined with mitigation for HIGH risks.

Accept

Document and acknowledge the risk without additional action. Appropriate for LOW and NEGLIGIBLE risks where mitigation costs exceed potential losses.

Framework Alignment

ISO 27005:2022

Simple as Hell follows ISO 27005's risk assessment process: context establishment, risk identification, risk analysis, risk evaluation, and risk treatment. The factor-based approach aligns with ISO's requirement for systematic risk analysis.

FAIR (Factor Analysis of Information Risk)

The tool's decomposition of risk into likelihood and impact factors draws from FAIR's ontology. Factors like threat capability, vulnerability, and asset value map directly to FAIR constructs, though simplified for ease of use.

NIST SP 800-30 Rev. 1

Risk levels and treatment recommendations align with NIST guidance. The semi-quantitative scoring approach (using numeric scales rather than purely qualitative labels) follows NIST best practices for organizational risk assessment.

Limitations & Calibration

Important: All risk scores are inherently subjective and depend on organizational context. Simple as Hell provides a framework for consistent, defensible risk assessment—not mathematical precision.

  • Scores should be calibrated against historical incident data and organizational risk appetite
  • Different assessors may rate the same scenario differently; this is expected and acceptable
  • The tool is designed for comparative analysis: use it to prioritize risks relative to each other
  • Risk thresholds (EXTREME, HIGH, etc.) should be adjusted to match your organization's tolerance
  • Regular reassessment is critical as threat landscape and business context evolve

About the Author

Simple as Hell was created by Richard Belisle, a cybersecurity professional focused on making enterprise-grade risk assessment accessible to organizations of all sizes.

This tool is free to use and open for feedback. If you find it useful or have suggestions for improvement, feel free to reach out.