5 - Settings

5 - Settings

Diri comes with several tailorable variables that you can adapt to fit your own security policies and guidelines. As illustrated below, the Diri settings are currently dived in three main categories:
  1. Many organizations already have pre-defined levels for probabilities and consequences, data classification, and revision times. These can be plotted under General settings.
  2. You have the opportunity to add Customable fields to some of the objects in Diri for recording additional information. These fields can be added to IT system risk assessments, Treatments, and Users.
  3. Type definitions relates the Diri libraries of vulnerabilities, consequences, threats, and events. These settings are connected the data aggregation and statistics. Read more about the libraries here.
The settings option is found at the bottom of the main menu.
Note: You will need to “save changes” in the end, or the changes will not be saved.

You should have a security policy or guideline supporting several of the general settings in Diri, if you are missing that, be sure to check out or policy templates (Requires a registered user)

Screenshot of the Diri settings window

General settings

The general settings contains four options:

The risk matrix

The probability and consequence levels are central in the risk assessment and reporting. These settings are applied when assessing risk and aggregating data into the dashboard. (Guidelines available for registered users)

In Settings > Risk matrix, it is possible to rename consequences and probabilities as well as how many different levels of these two you want to take into consideration. What is essential to keep in mind here is that the number of different levels you create must match the number at the top of the consequences and the probabilities. That number beside these categories is how many of the levels will appear as choices during the risk assessment. (Six levels is the current limitation of the levels, but let us know if you need additional levels.)
These settings are stored on the current organizational level and inherited downward in the organization. However, you can create tailored levels on lower organizational levels. The data still aggregates into the dashboard at higher levels without problems.

Setting levels for probability and consequence

Levels for information classification and asset evaluation

Asset evaluation is the cornerstone of the risk assessment as it helps determine which assets need protection. An asset has value for the organization and must be protected. Information classification is a central part of the asset evaluation in the risk assessment process. (Register a user to read the article.)
The classification levels are a direct input to your risk assessment consequence estimate and security management as a whole. Classifications are done within the so-called "CIA" levels; confidentiality, integrity, and availability. These levels should fit your organization's data classification policy. (Data classification policy template is available for registered users)

It is also essential that the number of levels matches the number at the top so that everyone can be selected in the risk assessment. Remember to save changes; this is not done automatically.


In the internationalisation settings, it is currently only possible to change the currency. The currency is used to keep track of the costs in the action plan. If you want to change the language in the application from Norwegian to English or vice versa, this must be done on the "My User" > Language.

Revision time

Revision Time defines how long the action plan is valid before it needs to be revised. For example, one can set a validity of 12 months for annual revision which tracks into your dashboard and sends notification to risk assessment owners.

Tracking the risk assessment progression with underlined revision time

Custom fields


You have the opportunity to add Customable fields to the IT system, treatment, and user objects in Diri for recording additional information. You have the options to add either a Dropdown menu or a Text field. The new field will appear as following;
  1. IT systems: A new page will appear at the end of Step 1 - Registration.
  2. Treatment: At the bottom of the of the treatment registration
  3. Users: At the bottom of My account and by clicking on a user from the Users overview

For example, if you want a maturity field on your treatments, you can add your field with prioritisation options as illustrateted below. The added field will show up at the bottom of the treatment description:

Adding control maturity on a treatment through Custom fields

Other uses: If you want to define something of your own under system, you can also do this here; for example, you can type "Does the system contain key codes?" and choose dropbox and answer yes or no.

On the user, one can also define a separate field such as "Is this a temporary user?" and then select dropbox and answer "Yes or no" then, this will add up under "My user."

Type definitions (Libraries)

The type definitions are closely connected to the libraries and categories in Diri and are the options you have available in the risk assessments. Please note that you cannot delete any options that are currently in use in risk assessments. The "delete" option will be grey and non-clickable for these items.


You can add, edit, and remove vulnerabilities from your risk assessment. Diri comes with four predefined vulnerability domains (Human, Organisational, Physical, Technical), but you can add a higher granularity if you wish. These choices are linked to data aggregation and statistics in the Diri application.


Under threats its possible to add or customize various threats such as Unfaithful employees, terror, criminals, natural disasters and so on. Diri comes with a pre-defined list of threats that you can edit, add, or delete from. You can use our Threat assessment template (for registered users) If you need additional information on your threats for your risk management,

The Consequence Category and Event Category

You can add or customize different events that may occur based on causes and threats. Similarly for consequences if the threat event occurs.

The Consequence and the Event Categories are a bit special because you can not add consequences and events directly in to the library, Consequences and Events are added to the library through Step 3 - Risk assessment (requires registered user). Events and Consequences are added by clicking "New" in the Risk assessment:

Adding a new event to your event register through the risk assessement

Adding a new consequence top your consequence to your consequence register

When you add a new event or consequence you will encounter our Dynamic language system

    • Related Articles

    • 6 - Importing and exporting risk assessment registrations with Excel Spreadsheets

      Why import and export? Many organisations have already mapped their ICT systems portfolio. This overview is often in a spreadsheet format, and Diri includes a spreadsheet import functionality to avoid doing the work twice. Importing through this ...
    • 1 - How to add users in Diri

      How to add users in Diri This article is about adding one or more users to the Diri application. Adding users from Microsoft Azure AD Only administrators can add new users. Log in to Diri and click on Organisation Add your Tennant ID from Microsoft ...
    • 7 - Task and Treatment reminders

      Follow up of tasks, treatments, and expire dates Diri sends reminders on risk assigned treatments, treatment plans, and risk assessment expiration. The email is sent from noreply@diri.no. The settings are available in "My account," be careful to ...
    • 2 - Create your organisation

      What is the organisation in Diri? The Organisation is an available option for administrators to build your desired organisational structure in Diri. The organisation determines the hierarchy in Diri for placing users and objects. It, therefore, forms ...
    • 3 - Role-based Access Control (RBAC)

      Role-based access control in Diri Diri allows for tailoring accesses based on roles. RBAC is an approach to restricting system access to authorized users. RBAC mechanisms are defined around roles and privileges. RBAC makes it easy to assign ...