2 min read

Risk Assessment with the SPE model

Dec 20, 2019 11:29:13 AM

Risk lies around every corner and should be expected at any time. In the world of IT, risk is inherently everywhere and comes in many shapes and forms. Consequently, the task of writing down all possible risks threatening an IT infrastructure can be daunting and never-ending.

However, brainstorming all possibilities of threats looming around IT systems is an absolutely necessary job to know what, when, where and how to defend.
From an endpoint protection perspective, risk assessment models as well as information security regulations take it very seriously. At the endpoint, there are massive potentials for attack, and this is because of:

  • Large amounts of business data can reside on the endpoint (terabytes sometimes).
  • Many applications exist on the endpoint. Portable tools further increase the issue.
  • Increasingly broader access to the Internet, mainly webmail, social media and P2P.
  • Endpoints are more likely to be lost/stolen than servers in the datacenter.
  • Wide variety of devices and peripherals can be connected to the endpoint.
  • BYOD is an ever-growing concern bringing gray areas of visibility and control.
  • End-users are an easy target for phishing and social engineering. Usually #1 issue.

Many models have been developed for risk assessment. An easy yet effective one is the Severity, Probability and Exposure (SPE) model. It works as follows.


Risk = Severity x Probability x Exposure


Severity: Severity is an event’s potential consequences measured in terms of degree of damage, injury, or impact on a mission. Severity can vary from 1 to 5.

Probability: Probability is the likelihood that the potential consequences will occur. Probability can vary from 1 to 5.

Exposure: Exposure is the amount of time, number of occurrences, number of people, and/or amount of equipment involved in an event, expressed in time, proximity, volume, or repetition. Exposure can vary from 1 to 4.

Curious? You want to assess your own risk?

We have provided you with a tool. Click here for your individual SPE Calculator:


(Excel file)


Need help putting your SPE Score into context and identify sensible measures to reduce risks in certain areas? Our Consulting Team is here for you.


Mohamad Ashokaibi
Written by Mohamad Ashokaibi