Risk DeterminationFor purpose of relative risk assessment, risk equals probability of vulnerability occurrence TIMES value MINUS percentage risk already controlled PLUS an element of uncertainty. For instance• Information asset A has a value score 50 and has 1 vulnerability: Vulnerability1 has a likelihood of 1.0 with no current controls and you estimate that the assumptions and data are 90 percent accurate.• Information asset B has a value score of 100 and has 2 vulnerability 2 has a likelihood of 0.5 with a current control which addresses 50 percent of risk. Vulnerability3 has a likelihood of 0.1 with no current controls.Resulting ranked list of risk ratings for the 3 vulnerabilities: Asset A: Vulnerability 1 rated as 55 = (50 x 1.0) –0% + 10% Where 55 = (50 x 1.0) – ( ( 50x 1.0)x0.0) + ( ( 50x1.0) x 0.1)55 = 50 - 0 + 5Asset B: Vulnerability 2 rated as 35 = (100 x 0.5) – 50% + 20% Where 35 = (100 x 0.5) – ( (100 x 0.5)x 0.5) + ( ( 100 x0.5) x 0.2)35 = 50 – 25 + 10Asset C: Vulnerability 3 rated as 12 = (100 x 0.1) – 0% + 20% Where 12= (100 x 0.1) – ((100 x 0.1) x 0.0) + ((100 x0.1) x 0.2)12 = 10 - 0 + 2