Risk assessment

The Risk = Impact + [or X ] Likelihood

1- My question is how can I to establish the reals values for Impact and Likelihood ?

Answer: The values for impact and likelihood can be defined either based on available statistics and historical records, or on subjective perception by those who are performing the assessment. Both approaches have advantages (statistical/historical records are more reliable, and subjective perception is faster) and disadvantages (not always statistical/historical records area available, and subjective perception may be biased), and you should consider them and your risk assessment needs (e.g., do you need precision and reliability, or a fast response?) before chose which one to use.

2 - Why the Impact for leaving a laptop in the car is 3 ? and also Why the likelihood it's 3 too for one.

Answer: First of all, leaving a laptop in a car is not considered as an impact, but a situation that can affect the like lihood of a risk occurring. Impact is the damage resulting from a risk occurring (e.g, the financial loss of a stolen laptop).

That said, for an impact to be attributed with the value 3, this means that the information you have (statistics, records or perceptions), when compared against your criteria for defining impact value, indicates that the value 3 is the one that best reflects the results of the loss of the information/asset (in this case the laptop). The same approach applies to define likelihood value as 3.

3 - Can I find a statistic catalog for likelihoods and impacts for vulnerabilities and threads , or I'll set this values in the subjective mod?

Answer: The availability of statistics for likelihoods and impacts will depend mostly of the type of the asset and the databases you can have access to (e.g., internal data, public data or commercial data). Insurance companies are good examples of organizations that can have a good database about statistics for likelihoods and impacts. In case you cannot have access to such databases, or they not exist, you can rely on subjective values.

These articles will provide you further explanation about Risk assessment:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- Qualitative vs. quantitative risk assessments in information security: Differences and similarities https://advisera.com/27001academy/blog/2017/03/06/qualitative-vs-quantitative-risk-assessments-in-information-security/

These materials will also help you regarding Risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Thank you. Your answer is very userfull for me :)