5 Common Mistakes in Information Security Risk Scoring | Arté

Risk scoring is one of the most important steps in any risk assessment — and one of the easiest to get wrong. A 5x5 matrix looks straightforward, but the way organizations fill it in often introduces bias, inconsistency, and blind spots that undermine the entire program. Here are five mistakes we see regularly, and how to avoid them. Gut-Feeling Scoring The most common mistake. An assessor looks at a risk, thinks "that feels like a 3 likelihood and 4 impact," and moves on. No reference data, no structured reasoning, no documentation of why those numbers were chosen. The problem isn't that the scores are always wrong — sometimes intuition is close. The problem is that gut-feeling scores are inconsistent across assessors, impossible to justify in an audit, and difficult to compare over time. How to avoid it: Use historical data, industry benchmarks, and threat intelligence to inform your ratings. If your organization has assessed similar risks before, use those as a baseline. If you're starting fresh, lean on industry-standard benchmarks for your sector. Document the reasoning behind every score — not just the number. Ignoring Threat Context Scoring likelihood without considering who might exploit a vulnerability — and how capable they are — produces misleading results. A risk exposed to nation-state actors with advanced persistent threat capabilities is fundamentally different from the same technical vulnerability in an environment only accessible to low-skill opportunistic attackers. The vulnerability is the same, but the threat context changes the likelihood dramatically. How to avoid it: Consider the threat source for every risk. Evaluate the capability, motivation, and opportunity of relevant threat actors. A risk with a Critical vulnerability but no credible threat actor may score lower than one with a Medium vulnerability facing a highly motivated adversary. Treating All Vulnerabilities Equally Not all vulnerabilities carry the same exploitability. An unpatched public-facing web server is not the same risk as a missing security policy document — yet both might get scored as "High vulnerability" if the assessment doesn't account for how easy each one is to exploit. Factors that matter include attack complexity, the level of access required, whether user interaction is needed, and the degree of network exposure. A vulnerability that requires physical access and administrator credentials is far less exploitable than one that can be triggered remotely with no authentication. How to avoid it: Assess vulnerabilities based on their exploitability characteristics, not just their existence. Consider using established scoring frameworks like CVSS factors (attack vector, complexity, privileges required) to differentiate between vulnerabilities that look similar on paper but carry very different real-world risk. Scoring Once and Never Revisiting The threat landscape changes constantly. New vulnerabilities are disclosed daily. Threat actor tactics evolve. Your own environment changes as you deploy new systems, onboard new vendors, or enter new markets. A risk scored twelve months ago based on last year's threat intelligence may no longer reflect reality. Organizations that treat risk scoring as a one-time checkbox exercise end up with a risk register that's technically complete but practically useless. How to avoid it: Establish a review cadence. High and critical risks should be reviewed quarterly. The full risk register should be reviewed annually at minimum. Any significant change — a major incident, a new system deployment, a regulatory update — should trigger a targeted reassessment. Not Accounting for Control Effectiveness Many organizations score the inherent risk (before controls) and stop there, or they mentally adjust the score downward because "we have a firewall" without actually measuring how much that firewall reduces the risk. Controls vary in effectiveness. A fully implemented technical control provides different risk reduction than a planned administrative policy. Stacking five controls of the same type doesn't provide five times the reduction — there are diminishing returns. And no combination of controls reduces risk to zero. How to avoid it: Score inherent risk first, then systematically evaluate how each control reduces likelihood and/or impact. Consider the control type, its implementation maturity, and whether it addresses the specific threat-vulnerability combination you're assessing. Calculate the residual risk explicitly — don't estimate it. The Common Thread All five mistakes share one root cause: treating risk scoring as a subjective exercise rather than a structured, evidence-based process. The more data and context you bring into your scoring — threat intelligence, vulnerability exploitability, historical benchmarks, control effectiveness — the more defensible and useful your risk assessments become. Learn how structured risk scoring works