Risk model & rating methodology
Every decision option in an exercise is tagged low, medium or high. This page explains how those ratings are assigned, which framework they're anchored in, and how to challenge a rating you disagree with.
1. Anchoring framework
NIST SP 800-30 Rev. 1 + ISO 31000:2018
Ratings follow the qualitative risk model from NIST Special Publication 800-30 Rev. 1 — the standard guide for conducting risk assessments — combined with the five-level vocabulary from ISO 31000:2018. Both are recognised internationally and accepted by UK regulators and cyber-security bodies.
The core formula is unchanged across both frameworks:
Where likelihood is the probability that the option leads to an adverse outcome under the current scenario conditions, and impact is the magnitude of harm to the three headline metrics: public trust, operational capacity and threat containment.
2. Likelihood scale
NIST SP 800-30 Table G-2 (qualitative)
| Band | Definition | Weight |
|---|---|---|
| Very low | Adverse event highly unlikely to occur | 1 |
| Low | Adverse event unlikely to occur | 2 |
| Moderate | Adverse event somewhat likely to occur | 3 |
| High | Adverse event highly likely to occur | 4 |
| Very high | Adverse event almost certain to occur | 5 |
3. Impact scale
NIST SP 800-30 Table H-2 (qualitative)
Each option's impact is calculated from the change it makes to the three exercise metrics. The absolute change across all three is summed, then mapped to a band:
| Band | Definition | Weight |
|---|---|---|
| Very low | Negligible degradation (Σ |Δ| ≤ 5) | 1 |
| Low | Limited degradation (Σ |Δ| 6–15) | 2 |
| Moderate | Serious degradation (Σ |Δ| 16–30) | 3 |
| High | Severe degradation (Σ |Δ| 31–50) | 4 |
| Very high | Catastrophic degradation (Σ |Δ| > 50) | 5 |
4. Risk matrix
Likelihood × Impact → low / medium / high
The 5 × 5 matrix below collapses the NIST scale into the three bands shown in the platform. This is the standard "traffic-light" projection used by ISO 31000 dashboards and by UK public-sector cyber-assessment frameworks.
| Likelihood ↓ / Impact → | Very low | Low | Moderate | High | Very high |
|---|---|---|---|---|---|
| Very low | 1 | 2 | 3 | 4 | 5 |
| Low | 2 | 4 | 6 | 8 | 10 |
| Moderate | 3 | 6 | 9 | 12 | 15 |
| High | 4 | 8 | 12 | 16 | 20 |
| Very high | 5 | 10 | 15 | 20 | 25 |
- low — score 1–6. Tolerable; no special escalation required.
- medium — score 8–12. Action required to bring into tolerance. Document the decision.
- high — score 15–25. Unacceptable without senior sign-off and a contingency plan.
5. Scenario modifiers
Why the same action can be rated differently across scenarios
A raw NIST score is adjusted by three modifiers before the low/medium/high label is assigned:
- Sector exposure — regulated sectors (financial services, healthcare, energy, government) carry a higher impact weighting because adverse outcomes attract statutory penalties.
- Threat context — the scenario's stage in the kill chain (initial access, lateral movement, exfiltration, recovery) shifts the likelihood band. An option that's "low" in the early stages may be "medium" once the threat is established.
- Reversibility — irreversible actions (paying a ransom, public disclosure, terminating a contract) attract a one-band uplift, in line with NIST SP 800-39's emphasis on recoverability.
6. Authoring and peer review
How a rating gets into the platform
- Scenario authors propose a rating using the NIST matrix above and record the likelihood / impact / modifier rationale in the authoring tool.
- A second subject-matter expert reviews and either accepts or challenges the rating.
- Where the two reviewers disagree, the higher of the two ratings is published and the rationale is logged. This follows the precautionary principle in ISO 31000 §6.4.3.
- Customer-reported disagreements (see below) trigger a re-review and, where appropriate, a published correction.
7. Disagree with a rating?
Tell us — ratings are intended to be debated
Risk ratings are heuristics, not absolutes. They are deliberately simplified to keep an exercise moving at pace. If a rating doesn't match your organisation's risk appetite, that disagreement is the value of the exercise — it surfaces an assumption that would otherwise stay implicit.
Capture the disagreement in your debrief discussion. If you'd like us to review and potentially adjust a rating, email feedback@decidr.live with the scenario name, decision title, and your suggested rating with rationale.
8. References
- NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
- NIST SP 800-37 Rev. 2 — Risk Management Framework for Information Systems and Organizations
- NIST SP 800-39 — Managing Information Security Risk
- ISO 31000:2018 — Risk Management Guidelines
- UK public-sector cyber-assessment outcomes framework (v3.2)
- CLEAR Decision Loop
© 2026 Decidr Ltd. All rights reserved.