The Diri Risk Matrix

The Diri Risk Matrix

What is the Diri Risk Matrix?

The Risk Matrix in Diri is a classic visualization matrix that illustrates risks on two axes, with probability on the Y-axis and consequence on the X-axis. In Diri, a risk is a combination of a cause, an event, and a consequence. The cause has a probability of occurring, and the consequence has a severity estimate. The probability of occurrence for the cause is the answer to how likely it is that a threat will exploit a vulnerability. The consequence is estimated from the harm done to assets. The cause is managed with probability-reducing treatments, and the consequence is managed with consequence-reducing treatments.


The figure shows the risk matrix in Diri with illustrations of threat exploiting vulnerability for the probability estimation and consequence for assets (crown jewels) for the x-axis.

Risk calculations

In the above picture you can see that the matrix has four different views for the risk picture. A risk has four different settings in Diri:

  1. Before treatments = Display without any treatments, also called inherent risk
  2. Current = Displays the current risk picture with implemented treatments
  3. Planned risk = Display the "accepted" risk picture with implemented, planned, and ongoing treatments
  4. All treatments = The risk picture if all of the treatments in the database  (open, suggested, planned, ongoing, and implemented)

Using the risk matrix


Picture illustrating the drilldown functionality from clicking on a risk in the matrix. Access the risk assessment by clicking on the risk assessment.

All of the risk matrices is available in Diri offers drilldown functionlity. It is available in three places:
  1. The risk matrix in the main dashboard shows the aggregated risk picture from all the assessments visible to you.  Allows you to drill down into a specific risk assessment by clicking the risk bubble and selecting the risk you wish to examine.
  2. The risk matrix in the risk assessment dashboard shows the risk picture for the current object being assessed. Allows for drill down into a specific risk in the risk analysis.
  3. The risk matrix in the risk assessment dashboard step 4 - Treatment plan is used for cost benefit analysis of treatments. Allows for a quick jump back into the risk analysis.

Configuring the risk matrix

Access "Settings" to tailor your risk matrix the way you want. You can use between 3 to 6 levels and each level can named according to your risk management policy. Read more about configuration.
You have the options to set the levels as you wish. The below example uses numerical and logarithmic scales instead of subjective risk levels.


Example of a risk matrix with five descriptions and numerical logarithmic scales in Diri





    • Related Articles

    • The Diri Control Matrix

      What is the Diri Control Matrix? The Diri control matrix (DCM) is an innovation unique to our software. In short, the DCM is a security control visualization tool that allows for in-depth analysis of how well the system security is managed. The DCM ...
    • Published Risk Assessments

      Diri AS have made risk assessment templates for copying to ease your way into cyber risk management. The templates are available through the "Published Assessments"-feature on the risk assessment overview. The library will contain templates for ...
    • The Diri five step process

      Why the five step process Diri is developed to support companies that need to carry out risk assessments. Diri is designed to give your company an overview of risk together with risk reducing measures. Processes and methods are developed by Diri, but ...
    • Copy and re-use risk assessments

      Copying whole risk assessments The copy button is available on all risk assessment objects Are you delighted with one or more of your assessments? Or is the same IT system in use multiple places? Existing risk assessments can be copied and re-used in ...
    • Add risks from template

      Create a set of baseline risks for all assessments Currently, the beta version of this functionality in production only allows for copying the template to one risk assessment at a time. The functionality does not copy risk treatments to prevent the ...