Help Center
News
Help Center
News
Sign in
Document
Documents & PoliciesQuestionnairesControls & Technical and Organizational Measures (TOMs)Report ExplorerAsset RegisterFrameworksRecord of Processing Activities (ROPA)Exporting your ROPAVendorsImpact Assessments (IA)Legitimate Interest DocumentationsMeetings & ActivitiesRetentions & Deletions PeriodsData Collection Point (DCP)Add documents to vendors
DPIA
Assessments
ROPA
Assets
International Standards & Frameworks
TOMs & Controls
Categories & Attributes
Data Collection Points
Legal Basis
Legitimate Interest
Documents & Policies
Retention & Deletion
Data Flow
Vendors
Questionnaires
Manage
Process Risk OverviewData Flow Map
Dashboards
AI Assistance & Automation
Projects
Tasks
Meetings & Activities
Workflows & Automations
Reporting
React & Resolve
TasksProjectsIncidents & BreachesData Subject Requests
Risk Scenarios & Treatments
Incidents & Breaches
Release Notes
Q2 2026
Q1 2026
Q4 2025
Q3 2025
Q2 2025
Q1 2025
Q4 2024
Q3 2024
Q2 2024
Q1 2024
Q4 2023
Q3 2023
Q2 2023
Q1 2023
Q4 2022
Q3 2022
Getting Started
Quickstart GuideQuestionnairesTasksProcess Risk OverviewIT SettingsFrameworksThe Information Security / Asset Risk ModelData Subject RequestsDownloading an elementLegitimate Interest DocumentationsAssigning Audiences to ElementsDocuments & PoliciesControls & Technical and Organizational Measures (TOMs)General SettingsCreating attributes that fit your industryDocument list for onboardingThe Data Protection Risk ModelIncidents & BreachesProjectsManaging audiencesAdd documents to vendorsHow to answer an assessment/questionnaireSetting up the first organization or companyData Collection Point (DCP)Use AI to create elementsSetting Risk models in General SettingsSharing ElementsHow can a user change the language?Data Flow MapRecord of Processing Activities (ROPA)Time MachineCreate and evaluate assessments Company Widget FeatureAsset RegisterVendorsImpact Assessments (IA)Creating organizational unitsExporting your ROPAMeetings & ActivitiesTerms for legitimate processingRetentions & Deletions PeriodsHow to create a new user and how to change the password for loginReport ExplorerMaturity modelAdding risk scenarios to assets or asset groupsRelevant Risk SzenariosPriverion GRC Platform overviewDocument list for onboardingHow can a user change the language?Setting up the first organization or companyCreating attributes that fit your industry
User account
Sharing & Group functions
Features
How-To Guides & Tips
Get Help
Legal
Settings
General Settings
Compliance settings
Identity and access management
IT Settings
Risk Settings

The Information Security / Asset Risk Model

Compliance officers, risk managers, and DPOs come to the Information Security / Asset Risk Model screen to define exactly how DPMS calculates a risk score for every asset in the organisation — from the likelihood scale and financial damage thresholds right through to the colour-coded risk categories that appear on each Asset record.

Before any risk score can appear on an asset, someone has to teach DPMS the maths. The Information Security / Asset Risk Model screen is where that happens. You define two input scales — how likely is a threat, and how severe would the damage be — choose whether those two numbers are added together or multiplied, map the resulting scores onto human-readable categories such as "Minimal" or "Critical", and set the score below which an asset is considered adequately protected. Until this configuration is complete and activated, the risk columns on your Asset Register are blank, residual-risk calculations after controls are linked cannot run, and the AI-assisted risk suggestion feature on Asset detail pages has nothing to work with. It is one of the most foundational setup steps in the whole system.

How to open it

In the main sidebar, go to Settings → expand the Standards group → click Configure Models. The screen that appears is the Asset / Information Security Risk Model index.

You need at least the Risk Settings – read permission to open this page. To make any changes you also need the Asset Risk – edit permission. If you only have read access, everything is visible but the Edit button is greyed out with a tooltip explaining the restriction.

What you see

The page is split into a narrow Compliance Settings sidebar on the left and a wide content area on the right. The sidebar highlights your current position: Standards → Configure Models.

At the top of the content area a pill toolbar gives you two dropdown selectors side by side: Standard (e.g., "ISO 27001") and Model ("ADDITIVE" or "MULTIPLICATIVE"). To their right sits a status pill — apple-green reading ACTIVE when a live model is selected, or light-blue reading ACTIVATE when the model exists but has not yet been turned on. Next to the model title is a small pencil Edit button that opens the full configuration form.

Below the toolbar, the main panel shows three read-only information areas: a likelihood table listing each probability level with its label, frequency tag, and numeric weight; a damage table listing each financial impact band and its threshold; and two horizontal sliders — a multi-segment colour-coded slider for the risk category boundaries, and a single-thumb slider for the mitigation threshold.

Working with this screen

Setting up your risk model for the first time

If you are configuring DPMS from scratch, the status pill reads ACTIVATE and both tables are empty. Work through the following steps in order:

  • Open the edit form. Click the pencil Edit button in the title bar. This takes you to the configuration form at /risk/settings/asset/edit/{id}.
  • Build the likelihood scale. The form opens with a single blank row under Occurrence / Likelihood. Type a label such as "Very Unlikely", pick the matching occurrence frequency from the dropdown (this links to your compliance tags), then enter a numeric weight — for example, 1. When all three fields are filled, a + icon appears; click it to add the next level. Work your way up through as many levels as you need (a typical five-point scale runs from "Very Unlikely = 1" to "Almost Certain = 5"). If you need to remove a row, click the × icon on that row. Note that zero values are not allowed if you later choose the Multiplicative formula.
  • Choose your currency and build the damage scale. Select the currency your organisation uses for financial thresholds (for example, EUR). Then fill in the Damage Amount rows — each row needs a label (e.g., "Negligible"), a monetary ceiling (e.g., 10,000), and a numeric weight. As you fill in amounts, a small bar chart refreshes below the rows to show how the bands relate to each other, which makes it easy to spot unbalanced thresholds before you save. The top damage row always reads "Above [your maximum]" and cannot be deleted.
  • Set your risk categories. If no categories have been defined yet, a prompt reading Set appears near the bottom of the form. Click Set — you will be taken to a short setup page where you choose how many categories you want (for example, five: Minimal, Reduced, Average, Elevated, Critical). Save there and the system returns you to the edit form with a row of named category fields.
  • Name and colour your categories. Enter a label for each category in the text fields that appear. Use the language toggle above the list to enter translations if your organisation works in multiple languages. Each category row has a colour circle on the right; click it to adjust the colour that will appear on Asset badges.
  • Drag the threshold slider. Once categories and scale values are both present, the multi-segment Categories and Thresholds slider becomes active. Drag the boundary markers between colour bands to define the score ranges for each category — for example, scores 2–4 = Minimal, 5–7 = Reduced, and so on up to Critical.
  • Set the mitigation threshold. Below the categories slider is a simpler single-thumb Threshold slider. Drag it to the score below which a risk is considered adequately mitigated by applied controls. A higher threshold means you hold assets to a stricter standard; a lower one is more permissive.
  • Activate the model. Click the ACTIVATE pill. It turns green. Then click Save. A success confirmation appears and you are returned to the index view where the pill now reads ACTIVE.

Switching between standards or formula types

If your organisation has activated more than one international standard (say, both ISO 27001 and GDPR), each standard can have its own independent risk model. Use the Standard dropdown in the pill toolbar to switch between them — the likelihood table, damage table, and sliders all update to show that standard's configuration without any save action. You can use this to compare settings or verify that each standard's model is fully configured before an audit.

The Model dropdown lets you switch between the Additive (Likelihood + Damage) and Multiplicative (Likelihood × Damage) formulas. Additive is the most common choice for ISO 27001. Multiplicative amplifies the combined score more aggressively for high-likelihood, high-impact events, which some organisations prefer. Note that for Privacy Risk Models tied to standards other than GDPR, the Multiplicative option is automatically disabled.

Neither dropdown change saves anything — they are purely a viewing tool on the index screen.

Reviewing the model as an auditor

If you have read access but not edit permission, you can still use the Standard and Model dropdowns to browse every configured model in full detail — likelihood scales, damage thresholds, category definitions, threshold positions, and the mitigation threshold value. The Edit button is visible but disabled and shows a tooltip explaining the restriction. This is the view most auditors and read-only DPOs will use to document the organisation's risk methodology.

Adding a new international standard

To make a new standard available in the Standard dropdown, navigate to the Active Standards sub-section in the same Compliance Settings sidebar. Click the Edit button there and add the standard (for example, NIS2) from the multi-select list, then save. Once saved, the new standard appears in the dropdown on the Configure Models screen and you can build a risk model for it by clicking Edit.

Field reference

Likelihood label — A short name for each probability level (e.g., "Very Unlikely"). Required. Supports multilingual input via the language toggle. Cannot be blank or whitespace-only.

Occurrence tag — A frequency descriptor pulled from your compliance tag library (type: Occurrence/Likelihood). Required per row; links this probability level to a standardised frequency concept.

Likelihood numeric value — A positive integer or decimal that represents this level's weight in the formula. Must be greater than zero; for the Multiplicative model, exactly zero is explicitly rejected. Maximum: 9,999,999,999,999.

Damage label — A short name for each financial impact band (e.g., "Catastrophic"). Required. Supports multilingual input.

Damage monetary threshold — The upper currency limit for this band (e.g., 100,000 in EUR). The highest band is always "Above" the largest amount you enter and cannot be manually edited. Required; must be a positive number.

Damage numeric value — The weight assigned to this damage band in the formula. Same validation rules as Likelihood values.

Currency — The currency used to interpret all monetary thresholds. Defaults to EUR. Change this if your organisation's financial thresholds are in a different currency.

Category names — One text field per risk category (e.g., "Minimal" through "Critical"). Required before the model can be activated. Supports multilingual input.

Categories and Thresholds slider — Drag the boundary markers to set the score ranges for each category. The slider only appears when the combined score range (max minus min) is wide enough to accommodate all categories.

Mitigation threshold — The score below which a residual risk is considered mitigated. Drag the single thumb to your desired value. If you later change the scale values and the previously saved threshold falls outside the new range, it is silently clamped to the nearest valid value — always check this after updating scale values.

How this connects to the rest of DPMS

Everything you configure here flows downstream into the Asset Register and individual Asset records. Once the model is set to ACTIVE:

  • The Likelihood, Impact, Inherent Risk Score, Residual Risk Score, and Risk Level badge fields on every Asset detail page are calculated using this model's scales and category boundaries.
  • The Controls / TOMs tab on each Asset uses the mitigation threshold you set here to determine whether the residual risk — after active controls are applied — falls below the "adequately mitigated" line.
  • The Risk Level filter on the Asset Register index reads its category names directly from this model. If categories are unnamed, the filter shows blank values.
  • The AI-assisted risk auto-generation feature on Asset detail pages uses this model's categories and thresholds to suggest likelihood and damage ratings. Without an active model it cannot produce suggestions.
  • Every change saved on this screen — threshold moves, category renames, model type switches — is recorded in the Activity Log, visible via the clock icon on object detail pages. This means auditors can trace exactly when the risk methodology changed and what effect it had on scores.

After finishing this screen, the natural next step is to open a few Asset records and verify that their risk scores and badges look correct. If scores are still missing, check that the model status is ACTIVE (green pill) and that at least one asset has both a likelihood and a damage value assigned.

Tips & common pitfalls

Heads up: You cannot activate the model until risk categories are defined and the threshold slider is valid. The ACTIVATE pill simply does nothing if you click it too early. Look for the Set prompt and the slider warning banner — they are your cues that setup is incomplete.
Tip: In Multiplicative mode, no likelihood or damage value can be zero. If you get a red "value invalid" toast when saving, scan every row for a zero — the field itself is not highlighted, so you may need to check each one manually.
  • Unsaved edits are at risk when you navigate to "Set categories". If you have already entered likelihood or damage values and then click Set, a confirmation prompt appears. Read it carefully and click Accept to proceed; simply clicking elsewhere dismisses the prompt without navigating, so you may need to click Set again.
  • The damage bar chart stays blank until you enter a non-zero amount in at least the first damage row. If the chart area looks empty during setup, this is normal — enter your first amount and the chart will appear.
  • Always recheck the mitigation threshold after changing scale values. If you reduce the number of likelihood or damage levels, the maximum possible score decreases. The threshold slider silently clamps to the new maximum, which may be lower than your intended risk appetite setting. Verify the thumb position and save again if needed.
Tip: If you run multiple international standards (ISO 27001, GDPR, NIS2), each needs its own complete model configuration — including separate likelihood scales, damage tables, categories, and thresholds. Switch between them using the Standard dropdown to make sure none are left unconfigured before going live.
  • A background recalculation job blocks saving. Occasionally, DPMS runs a background process to recalculate all asset risk scores (for example, after a bulk import). During this time the Save button on the edit screen is blocked and an explanatory message is shown. Wait for the job to complete before making further changes.


Was this article helpful?

English
Powered by Product Fruits