Devil

METHODOLOGY

The Science Behind the Sulfur

← Back to Tool

Overview

Simple as Hell is a semi-quantitative risk assessment tool designed to make cybersecurity risk evaluation accessible without sacrificing professional rigor. It combines proven methodologies from industry standards while maintaining a user-friendly interface.

The tool is grounded in three major risk management frameworks: ISO 27005 (Information Security Risk Management), FAIR (Factor Analysis of Information Risk), and NIST SP 800-30 (Guide for Conducting Risk Assessments).

Core Formula

Risk Score = (Likelihood × Impact) / 6.5

Scale: 0-10.0 (capped), where higher scores indicate greater risk

Why Divide by 6.5?

The divisor of 6.5 is a calibration choice based on FAIR and NIST best practices for risk quantification:

  • Empirical alignment: When comparing historical incident data to assessment scores, dividing by 6.5 produces better correlation between predicted risk levels and actual incident severity than mathematical "purity" (dividing by 10).
  • Realistic thresholds: With /10, achieving EXTREME risk (≥8.0) requires both Likelihood and Impact at 9+ out of 10. This is mathematically elegant but practically means most real-world critical risks cluster in MODERATE ranges.
  • Industry practice: Similar to how CVSS uses nonlinear scoring scales, risk quantification frameworks prioritize decision-usefulness over mathematical simplicity.
  • FAIR precedent: Factor Analysis of Information Risk emphasizes that risk scores should enable comparison and prioritization, not represent absolute mathematical truth.

Organizations can adjust this divisor (or the risk level thresholds) to match their specific risk appetite and historical calibration data.

Likelihood (1-10): The probability that a threat event will successfully occur, considering factors like accessibility, exposure, attacker capability, motivation, and the time window of vulnerability.

Impact (1-10): The potential magnitude of loss if the threat succeeds, evaluating asset value, regulatory consequences, scope of damage, detection capabilities, and recovery time.

Risk Levels

EXTREME (≥8.0)

Action Required: Immediate mitigation or avoidance — escalate to executive/board level

Risks that pose existential threats to operations, reputation, or compliance. Requires executive attention, emergency response planning, and board-level visibility.

HIGH (6.0-7.9)

Action Required: Remediate within 30 days or next planning cycle

Significant risks requiring formal mitigation plans. Should be prioritized in quarterly planning and tracked by management with a 30-day remediation target.

MODERATE (4.0-5.9)

Action Required: Plan and monitor — requires documented risk acceptance from asset owner

Manageable risks requiring monitoring and eventual attention. Per ISO 27005, MODERATE and above risks require formal documented risk acceptance signed by the asset owner before they can be accepted.

LOW (2.0-3.9)

Action Required: Track and reassess later

Minor risks that can be accepted with documentation. Review during annual risk assessments.

NEGLIGIBLE (<2.0)

Action Required: Document and accept

Trivial risks requiring only basic documentation. Typically no action needed beyond awareness.

Assessment Factors

Likelihood Factors (Simple Mode)

1. Accessibility

How easily can an attacker reach the target system or asset? Considers network exposure, authentication requirements, and physical access controls.

2. Exposure/Discoverability

How visible or well-known is the vulnerability? Accounts for public disclosure, indexing, and availability of exploit tools.

3. Capability vs Controls

What technical skill level is required to exploit this, weighed against existing control effectiveness? Considers attacker sophistication (nation-state to script kiddie) relative to deployed defenses (EDR, hardening, patching). This captures FAIR's Vulnerability concept — the comparison of Threat Capability against Control Strength — without requiring a separate factor that would risk double-counting.

4. Intent/Motivation

How much incentive exists to exploit this vulnerability? For non-malicious risks, rate the likelihood of accidental occurrence.

5. Vulnerability Window

How long is the weakness exposed before mitigation? Considers patch cycles and remediation timelines.

Impact Factors (Simple Mode)

1. Asset Value/Criticality

How critical is the affected asset to business operations? Evaluates business impact if the asset is compromised.

2. Regulatory/External Impact

What are the compliance, legal, and reputational consequences? Includes breach notification requirements, fines, and public perception.

Advanced Mode Weighted Formula

Advanced mode adds three additional factors and applies research-based weighting derived from FAIR (Factor Analysis of Information Risk) and NIST SP 800-30:

  • Scope/Propagation (Impact): How wide is the blast radius if exploitation succeeds?
  • Detection & Response (Impact): How quickly can the issue be detected and remediated?
  • Recovery/Continuity (Impact): How long does it take to restore normal operations?

Likelihood Weights (Based on FAIR Threat Event Frequency)

These weights reflect empirical analysis of which factors most strongly predict successful threat events:

  • Accessibility: 30% — Highest weight. FAIR's "Contact Frequency" factor. If attackers can't reach the target, other factors are irrelevant. Additionally, Accessibility acts as a minimum-gate: when scored ≤ 2 (air-gapped, heavily restricted), likelihood is capped regardless of other factors. This reflects FAIR's multiplicative relationship — no access means no attack.
  • Intent/Motivation: 20% — Elevated from 15% to 20%. In FAIR, Probability of Action is a top-level multiplier — no intent means no attack. The difference between opportunistic and targeted threats is one of the strongest predictors of threat event frequency.
  • Capability vs Controls: 20% — Reduced from 25% to 20%. Now explicitly captures FAIR's Vulnerability concept: attacker capability weighed against deployed control effectiveness (EDR, hardening, patching). This eliminates the need for a separate "Control Strength" factor.
  • Exposure/Discoverability: 20% — Unchanged. Affects targeting. Public, well-known vulnerabilities see higher exploitation rates.
  • Vulnerability Window: 10% — Lowest weight. Time exposed matters, but if accessibility and capability are high, exploitation often happens quickly.

Note: "Preventive Controls" was intentionally removed as a separate factor. Control effectiveness is captured within "Capability vs Controls" (the comparison of threat capability against deployed defenses) and "Accessibility" (perimeter controls). Including it separately would violate NIST guidance against counting the same risk reducer twice.

Impact Weights (Based on FAIR Loss Magnitude Model)

FAIR's loss magnitude model distinguishes between primary loss (direct harm) and secondary loss (response costs, legal, reputation). These weights reflect that hierarchy:

  • Asset Value/Criticality: 35% — Highest weight. FAIR's "Primary Loss" factor. Direct business impact if asset is compromised.
  • Scope/Propagation: 25% — Blast radius multiplies impact. Single-system vs. enterprise-wide failures have vastly different consequences.
  • Regulatory/External Impact: 20% — FAIR's "Secondary Loss." Fines, lawsuits, breach notifications, reputational damage.
  • Recovery/Continuity: 15% — Increased from 12%. Business continuity and downtime costs are often the #1 cost driver in real incidents, frequently exceeding regulatory fines.
  • Detection & Response: 5% — Reduced from 8%. Detection is primarily a likelihood reducer (catching attacks before impact) rather than a pure impact factor. In NIST's framework, "Detect" sits before "Respond." Weighted lowest because core damage typically occurs before detection. Kept in Impact to capture the dwell-time amplification effect on breach scope.

Why These Specific Weights?

These percentages come from:

  1. FAIR Institute research on which factors best predict loss event frequency and magnitude
  2. NIST SP 800-30 Rev. 1 guidance on adversarial threat likelihood (intent, capability, targeting)
  3. Incident response data showing that accessibility and asset criticality are the strongest predictors of both exploitation and business impact
  4. Iterative calibration against historical breach data to ensure scores align with real-world outcomes

Accessibility Minimum-Gate

FAIR decomposes Threat Event Frequency multiplicatively: TEF = Contact Frequency × Probability of Action. When Contact Frequency (accessibility) approaches zero, the entire likelihood should collapse — an air-gapped system with world-class attackers pointed at it is still unreachable.

However, weighted averages are additive, not multiplicative. Without a gate, scoring Accessibility at 1 with all other factors at 10 would produce a weighted likelihood of 7.3 (HIGH) — a nonsensical result for an unreachable target.

Solution: When Accessibility is scored ≤ 2, likelihood is capped at Accessibility × 1.5, regardless of other factor scores. This preserves the simplicity of weighted averages while enforcing the multiplicative reality that no access means no attack.

Score Capping at 10.0

The /6.5 divisor produces a theoretical maximum of 15.4 (when both Likelihood and Impact are 10). Scores above 10.0 are capped to prevent confusion — the highest risk level is EXTREME (≥8.0), and scores beyond 10 provide no additional decision-making value. The cap ensures the scale remains intuitive while the /6.5 divisor preserves its calibrated alignment with real-world risk distributions.

Simple mode uses equal weighting (unweighted average) across factors. Note that equal weighting systematically under-weights Accessibility and Asset Value, which are empirically the strongest predictors of threat event frequency and loss magnitude respectively. Simple mode is suitable for quick assessments, but Advanced mode should be used for formal risk registers and compliance documentation. Organizations with mature risk management programs should calibrate weights against their own historical incident data.

Risk Treatment Strategies

Avoid

Eliminate the activity or asset that creates the risk. Used for EXTREME risks where the cost of mitigation exceeds the benefit.

Mitigate

Implement controls to reduce likelihood or impact. Most common strategy for HIGH and MODERATE risks.

Transfer

Shift risk to a third party through insurance, outsourcing, or contractual agreements. Often combined with mitigation for HIGH risks.

Accept

Document and acknowledge the risk without additional action. Appropriate for LOW and NEGLIGIBLE risks where mitigation costs exceed potential losses.

Framework Alignment

ISO 27005:2022

Simple as Hell follows ISO 27005's risk assessment process: context establishment, risk identification, risk analysis, risk evaluation, and risk treatment. The factor-based approach aligns with ISO's requirement for systematic risk analysis.

FAIR (Factor Analysis of Information Risk)

The tool's decomposition of risk into likelihood and impact factors draws from FAIR's ontology. Factors like threat capability, vulnerability, and asset value map directly to FAIR constructs, though simplified for ease of use.

NIST SP 800-30 Rev. 1

Risk levels and treatment recommendations align with NIST guidance. The semi-quantitative scoring approach (using numeric scales rather than purely qualitative labels) follows NIST best practices for organizational risk assessment.

Limitations & Calibration

Important: All risk scores are inherently subjective and depend on organizational context. Simple as Hell provides a framework for consistent, defensible risk assessment—not mathematical precision.

  • Scores should be calibrated against historical incident data and organizational risk appetite
  • Different assessors may rate the same scenario differently; this is expected and acceptable
  • The tool is designed for comparative analysis: use it to prioritize risks relative to each other
  • Risk thresholds (EXTREME, HIGH, etc.) should be adjusted to match your organization's tolerance
  • Regular reassessment is critical as threat landscape and business context evolve

About the Author

Simple as Hell was created by Richard Belisle, a cybersecurity professional focused on making enterprise-grade risk assessment accessible to organizations of all sizes.

This tool is free to use and open for feedback. If you find it useful or have suggestions for improvement, feel free to reach out.