I’ve a question regarding the correlation between multiple risks and the impact evaluation of these correlating risks.
Lets say I have these 2 risks:
· Risk 1
o Asset: Office room
o Vulnerability: Lack of access controls to facilities, rooms or offices
o Threat: Unauthorized entry into facilities, rooms or offices
· Risk 2
o Asset: Printer
o Vulnerability: Network devices inadequately physically protected
o Threat: Unauthorized access to equipment
Now during impact evaluation, I would assess the impact of each risk for itself as medium. But if both risks materialize at the same time I would assess each a high risk because this would mean an unknown person instead of an employee would access the printer. How would you represent the combination of both risks during risk assessment?