Worksheet 3 Prioritizing Risk

Classification - Restricted #_x000D_Introduction
NIST Privacy Risk Assessment Methodology

Version: February 2019
Worksheet 3: Prioritizing Risk

Purpose:
This worksheet enables the assessment and prioritization of privacy risk in systems. It requires
inputs from Worksheet 1: Framing Organizational Objectives and Privacy Governance and
Worksheet 2: Assessing System Design.
Tasks:
1. Assess likelihood (Tab 2: Likelihood).
2. Assess impact (Tab 3: Impact).
3. Calculate risk (Tab 4: Risk).
4. Prioritize risk (Tab 5: Risk Prioritization SAMPLE & Tab 6: Risk Prioritization INPUT).
_x000D_ Classification - Restricted

#
Classification - Restricted #_x000D_Introduction
ization of privacy risk in systems. It requires

Objectives and Privacy Governance and
E & Tab 6: Risk Prioritization INPUT).

#
Classification - Restricted #_x000D_Likelihood
Task 1: Assess Likelihood
Guidance:
Likelihood: Probability that a data action will become problematic for representative or typical individuals
system/product/service.
Assessment: Determine on a scale from 1-10 the estimated expected probability of occurrence for each
can use any scale they prefer as long as they use the same scale throughout the process.
Prior Worksheet Inputs:
Problematic Data Actions Catalog: See Catalog of PDAP. The catalog may be used as a way to catego
highlighted in the summary issues column. As noted in Worksheet 2, a summary issue may alleviate, rath
should be scored as 0.
Problems for Individuals Catalog: See Catalog of PDAP. Problematic data actions may create the poten
have a higher likelihood of occurrence than others. If the data action ultimately is scored as risky, scoring
effective to mitigate the risk of the highest scored problem(s), thereby lowering the score of the data action
Example:
Data Actions
Collection from the

Social Media Site

#
Data Actions

#
sess Likelihood
obability that a data action will become problematic for representative or typical individuals whose data is being proce
/service.
Determine on a scale from 1-10 the estimated expected probability of occurrence for each potential problem for indivi
ale they prefer as long as they use the same scale throughout the process.
et Inputs: Data actions and associated summary issues from Worksheet 2.
ata Actions Catalog: See Catalog of PDAP. The catalog may be used as a way to categorize the adverse effects th
he summary issues column. As noted in Worksheet 2, a summary issue may alleviate, rather than raise concerns abo
ed as 0.
ndividuals Catalog: See Catalog of PDAP. Problematic data actions may create the potential for more than one typ
kelihood of occurrence than others. If the data action ultimately is scored as risky, scoring the problems separately m
gate the risk of the highest scored problem(s), thereby lowering the score of the data action as a whole to an accepta
Summary Issues
Full social credential profile access (including picture and list of friends)
is not necessary for fulfilling operational purpose.
Will users understand the eventual high-assurance credential is

controlled by ACME and not by their social credential provider?
How will perception of the social media organization's privacy practices

impact users' willingness to consent to this data action?

#
Summary Issues

#
ypical individuals whose data is being processed or is interacting with the
urrence for each potential problem for individuals with 10 being most problematic. Organizations
s.
2.
s a way to categorize the adverse effects that could arise from the issues or questions
may alleviate, rather than raise concerns about adverse effects. In that case, the summary issue
y create the potential for more than one type of problem. However, some of the problems may
as risky, scoring the problems separately may help pinpoint what type of control would be most
of the data action as a whole to an acceptable level.
Problematic Data
Potential Problems for Individuals Likelihood
Actions
Dignity Loss: Information is revealed
about the individual that could be 7
embarrassing or discomfiting.
Loss of Autonomy: People must provide

information that could be used in ways 2
that exceed expectations.
-
-This summary issue will
-Induced disclosure
be associated with another NA
data action.
Loss of Trust: Individuals lose trust in

ACME due to a breach in expectations
6
about the handling of personal
information.
-
Surveillance

#
Problematic Data
Potential Problems for Individuals Likelihood
Actions

#
Classification - Restricted #_x000D_Impact
Task 2: Assess Impact
Guidance:
Although individuals experience problems directly, it may be difficult for an organization to assess the imp
worksheet is not intended to prevent organizations from assessing the direct impact of problems on individ
unable to do so, organizational impact factors as secondary costs absorbed by the organization can be us
impact assessment.
Assessment: Determine on a scale from 1-10 the estimated effect of each potential problem for individua
organizational impact factors. The assigned values are added to calculate organizational impact per poten
Prior Worksheet Inputs: Relevant inputs from Worksheet 1. For example, in considering noncompliance
or obligations identified in the legal environment box or policy statements made about privacy. In consider
commitments to privacy principles or mission values, etc.
Organizational Impact Factors

Noncompliance Costs: Regulatory fines, litigation costs, remediation costs, etc.
Direct Business Costs: Revenue or performance loss from customer abandonment or avoidance, etc.
Reputational Costs: Brand damage, loss of customer trust, etc.
Internal Culture Costs: Impact on capability of organization/unit to achieve vision/mission. Consider impa
stemming from conflicts with internal cultural values or ethics.
Other: Any other costs that an organization wants to consider.
Example:
Data Actions Summary Issues
Full social credential profile access (including picture and list of

friends) is not necessary for fulfilling operational purpose.
Collection from the
Social Media Site
How will perception of the social media organization's privacy
practices impact users' willingness to consent to this data
action?

#
Data Actions Summary Issues

#
organization to assess the impact of these problems. This

t impact of problems on individuals, however, should they be
by the organization can be used in lieu of or in addition to direct
potential problem for individuals per data action on the

rganizational impact per potential problem.
in considering noncompliance costs, review the legal requirements

ade about privacy. In considering internal culture costs consider the
s, etc.
ndonment or avoidance, etc.
e vision/mission. Consider impact on productivity/employee morale
-Appropriation
Potential Problems
Problematic Data Actions Organizational Im
for Individuals
-
Induced disclosure Noncompliance Costs
Dignity Loss 7
-Induced disclosure Loss of Autonomy 7
-Surveillance
Loss of Trust 7
-Surveillance
-Unanticipated Revelation _x000D_ Classification - Restricted

#
Potential Problems
Problematic Data Actions Organizational Im
for Individuals
Noncompliance Costs

#
Total Business
Organizational Impact Factors Impact (per
Potential Problem)
Direct Business Reputational Internal Culture

Other
Costs Costs Costs
6 6 4 23
6 8 4 25
6 8 7 28

#
Total Business
Organizational Impact Factors Impact (per
Potential Problem)
Direct Business Reputational Internal Culture
Other
Costs Costs Costs
0

#
Classification - Restricted #_x000D_Risk
Task 3: Calculate Risk
Guidance:
Risk per Data Action : Apply the risk equation to the outputs of the Likelihood tab and Impact tab to dete
action. The estimated likelihood for each potential problem for individuals per data action is multiplied by i
estimated risk per potential problem. The sum of the estimated risks for each potential problem for individu
action.
Example:
Potential Problems for

Data Actions Likelihood Impact
Individuals
Dignity Loss 7 23
Collection from the Social Media Site
Loss of Autonomy 2 25
Loss of Trust 6 28
Economic Loss 6 32
DA2 Loss of Autonomy 5 19
Loss of Trust 2 15
Loss of Trust 6 25
DA3 Dignity Loss 7 36
Loss of Liberty 5 35
DA4 Loss of Trust 5 48
Economic Loss 6 37
DA5 Discrimination 3 25
Loss of Trust 8 33
Dignity Loss 4 40
Loss of Trust 5 22
DA6 Loss of Autonomy 5 32
Dignity Loss 6 28
Dignity Loss 9 10
DA7
Economic Loss 7 27
Loss of Trust 4 9
Dignity Loss 9 32
DA8
Economic Loss 8 15
Loss of Trust 6 9
Loss of Trust 3 39
DA9
Loss of Liberty 2 48

#
Loss of Trust 4 14
DA10 Economic Loss 6 9
Dignity Loss 3 17
Potential Problems for

Data Actions Likelihood Impact
Individuals

#
and Impact tab to determine the estimated risk per data

action is multiplied by its estimated impact to yield the
tial problem for individuals is the estimated risk per data
Risk per Potential Problem Risk per Data Action
161
379
50
168
192
95 317
30
150
252 577
175
240 240
222
100
75 821
264
160
110
160 438
168
344
90
659
189
36
52
288
514
120
54
117
213
96

#
56
54 161
51
Risk per Potential Problem Risk per Data Action

#
Classification - Restricted #_x000D_Risk Prioritization SAMPLE
Task 4: Prioritize Risk

Guidance:
Prioritization: This tab provides some examples of prioritization methods. Organizations should choose
prioritization methods that provide the best communication tool for their organization and that best suppor
decision-making about how to respond to the identified risks.
System Risk Table: Indicates the estimated risk presented by a data action, its estimated percentage of
system risk, and its estimated rank among data actions. The risk column is the total estimated risk per dat
action and colored to facilitate visual prioritization. The percent of system risk column is the estimated risk
per data action relative to all other data actions. The rank among data actions column assigns relative
values to the data actions pursuant to their estimated system risk percentage.
SAMPLE - Simple Data Action Risk Prioritization Table

Percent of Rank among
Data Actions Risk
System Risk data actions
Collection from social media site 379 9% 6

DA2 317 7% 7
DA3 577 13% 3
DA4 240 6% 8
DA5 821 19% 1
DA6 438 10% 5
DA7 659 15% 2
DA8 514 12% 4
DA9 213 5% 9
DA10 161 4% 10
Guidance:
Top 5 Outliers Table: Red cells indicate the five (5) highest likelihood and impact results per potential
problems for individuals per data action. Each potential problem for individuals is assigned a point label
which is plotted on the adjacent heat map as a function of its assigned likelihood and impact values.
SAMPLE - Two Dimensional Problem Prioritization Table

(including Top 5 highest Likelihood and Impact outliers)

#
Potential Problems
Data Actions Point Label Likelihood
for Individuals
Dignity Loss A 7
Collection from the Social Media
Loss of Autonomy B 2
Site
Loss of Trust C 6
Economic Loss D 6
DA2 Loss of Autonomy E 5
Loss of Trust F 2
Loss of Trust G 6
DA3 Dignity Loss H 7
Loss of Liberty I 5
DA4 Loss of Trust J 5
Economic Loss K 6
Loss of Autonomy L 5
DA5 Discrimination M 3
Loss of Trust N 8
Dignity Loss O 4
Loss of Trust P 5
DA6 Loss of Autonomy Q 5
Dignity Loss R 6
Loss of Autonomy S 8
Dignity Loss T 9
DA7
Economic Loss U 7
Loss of Trust V 4
Loss of Autonomy W 4
Dignity Loss X 9
DA8
Economic Loss Y 8
Loss of Trust Z 6
Loss of Trust AA 3
DA9
Loss of Liberty BB 2
Loss of Trust CC 4
DA10 Economic Loss DD 6
Dignity Loss EE 3

#
ganizations should choose

zation and that best support
ts estimated percentage of
e total estimated risk per data
column is the estimated risk
column assigns relative
pact results per potential

s is assigned a point label
od and impact values. Problem Pr
Table
50
liers)
28; 48
45
40 15; 40
27; 39
#
35
Problem Pr
50
28; 48
45
Impact
40 15; 40
23 27; 39
25
28
32 35
19
15
25
30
36
35
48
Impact
37 25 2; 25 13; 25
20
25
33
40 20
22
32 31; 17
28
15 6; 15
43 29; 14
10 23; 13
27
9 10
13 22; 9
32
15
9 5
39
48
14
0
9
1 2 3 4
17

#
Problem Prioritization Heat Map
10; 48
19; 43
15; 40
27; 39
_x000D_
11; 37Classification - Restricted
#
8; 36
9; 35
10; 48
19; 43
15; 40
27; 39
11; 37
8; 36
9; 35
14; 33
17; 32 4; 32 24; 32
18; 28
3; 28
21; 27
13; 25 7; 25
1; 23
16; 22
12; 20
5; 19
31; 17
25; 15
29; 14
23; 13
20; 10
22; 9 30; 9
26; 9
3 4 5 6 7 8 9 10
Likelihood

#

#
24; 32
20; 10
10

#
Classification - Restricted #_x000D_Risk Prioritization INPUT
Task 4: Prioritize Risk

Guidance:
Prioritization: The Risk Prioritization SAMPLE tab provides some examples of prioritization methods.
Organizations should choose prioritization methods that provide the best communication tool for their
organization and that best support decision-making about how to respond to the identified risks.
System Risk Table: Indicates the estimated risk presented by a data action, its estimated percentage of
system risk, and its estimated ranking amongst other data actions. The risk column is the total estimated
risk per data action and colored to facilitate visual prioritization. The percent of system risk column is the
estimated risk per data action relative to all other data actions. The rank among data actions column
assigns relative values to the data actions pursuant to their estimated system risk percentage.
Simple Data Action Risk Prioritization Table

Percent of Rank among
Data Actions Risk
System Risk data actions
Guidance:
Top 5 Outliers Table: Red cells indicate the five (5) highest likelihood and impact results per potential
problems for individuals per data action. Each potential problem for individuals is assigned a point label
which is plotted on the adjacent heat map as a function of its assigned likelihood and impact values.
SAMPLE - Two Dimensional Problem Prioritization Table

(including Top 5 highest Likelihood and Impact outliers)

#
Potential Problems
Data Actions Point Label Likelihood
for Individuals
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
AA
BB
CC
DD
EE

#
of prioritization methods.
munication tool for their
he identified risks.
ts estimated percentage of
lumn is the total estimated
system risk column is the
g data actions column
risk percentage.
pact results per potential

s is assigned a point label
od and impact values. Problem Pr
Table 50
liers)
45
40

#
35
Problem Pr
50
45
Impact
40
35
30
Impact
25
20
15
10
0
0 1 2 3 4

#

#
3 4 5 6 7 8 9 10
Likelihood

#

#
9 10

#

Worksheet 3 Prioritizing Risk

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Worksheet 3 Prioritizing Risk

Uploaded by

Copyright:

Available Formats

Classification - Restricted #_x000D_Introduction

NIST Privacy Risk Assessment Methodology

Worksheet 3: Prioritizing Risk

_x000D_ Classification - Restricted

ization of privacy risk in systems. It requires

E & Tab 6: Risk Prioritization INPUT).

_x000D_ Classification - Restricted

Task 1: Assess Likelihood

Collection from the

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

Will users understand the eventual high-assurance credential is

How will perception of the social media organization's privacy practices

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

ypical individuals whose data is being processed or is interacting with the

Loss of Autonomy: People must provide

Loss of Trust: Individuals lose trust in

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

Task 2: Assess Impact

Organizational Impact Factors

Data Actions Summary Issues

Full social credential profile access (including picture and list of

_x000D_ Classification - Restricted

Data Actions Summary Issues

_x000D_ Classification - Restricted

organization to assess the impact of these problems. This

potential problem for individuals per data action on the

in considering noncompliance costs, review the legal requirements

e vision/mission. Consider impact on productivity/employee morale

-Induced disclosure Loss of Autonomy 7

-Unanticipated Revelation _x000D_ Classification - Restricted

_x000D_ Classification - Restricted

Direct Business Reputational Internal Culture

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

Task 3: Calculate Risk

Potential Problems for

_x000D_ Classification - Restricted

Potential Problems for

_x000D_ Classification - Restricted

and Impact tab to determine the estimated risk per data

Risk per Potential Problem Risk per Data Action

_x000D_ Classification - Restricted

Risk per Potential Problem Risk per Data Action

_x000D_ Classification - Restricted

Task 4: Prioritize Risk

SAMPLE - Simple Data Action Risk Prioritization Table

Collection from social media site 379 9% 6

SAMPLE - Two Dimensional Problem Prioritization Table

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

ganizations should choose

pact results per potential

_x000D_ Classification - Restricted

Problem Prioritization Heat Map

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

_x000D_ Classification - Restricted

Task 4: Prioritize Risk

Simple Data Action Risk Prioritization Table

SAMPLE - Two Dimensional Problem Prioritization Table