University of Wisconsin–Madison

Risk Management Framework

The purpose of this page is to establish definition and process for how the Office of Cybersecurity measures and rates risks of information systems through the risk management framework, vulnerability management and compliance operations.  These same definitions and processes are recommended for local IT security staff and IT management to use in analyzing risk.

Campus Risk Ratings

Rating Definition & Prescribed Action

 Likelihood: Evidence of exploitation of a vulnerability by a threat actor against the asset has been discovered or enough evidence is seen to suspect exploitation has occurred in the past.

Mission Impact: Political, financial, legal, operational or reputational impacts will be felt for two or more years. Damages impact at least an entire UW-Madison Division, or multiple departments across divisions.

Action: Immediate action is required to reduce the risk. Systems designated with CRITICAL risk exposure may be required to be disconnected until resolutions or mitigations are found. CRITICAL risks found during a security risk assessment must be communicated upon discovery.


Likelihood: Exploitation of a vulnerability by a threat actor against the asset is highly likely, although evidence to suggest  exploitation has occurred has not been found.

Mission Impact: Political, financial, legal, operational or reputational impacts will be felt for 6 months, up to two years OR damages impact at least an entire UW-Madison Division, or multiple departments across divisions.

Action: Prompt action is required to reduce the risk. All HIGH risks must be reduced before the close of the next semester of instruction.


Likelihood: Exploitation of a vulnerability by a threat actor against the asset is likely in general; some controls are in place to reduce the likelihood of occurrence against the specific asset.

Mission Impact: Political, financial, legal, operational or reputational impacts may be felt for a month or more, but less than a year AND damages would impact three of fewer departments contained in a single UW-Madison division.

Action: Prioritization of remediation efforts is required for all MEDIUM risks. Prioritization must be completed in less than three months. Execution of remediation efforts for MEDIUM risks is based on prioritization relative to other MEDIUM rated risks for the same system or environment.

LOW Risk

 Likelihood: Exploitation of a vulnerability by a threat actor is difficult in general requiring expertise beyond one person with advanced computer skills or resources beyond those generally possessed by an individual. If exploitation is within reach of individuals, then our systems have controls to make it unlikely to experience an incident, in a defined time frame.

Mission Impact: Political, financial, legal, operational or reputational impacts will be minimal. Operational impacts include: short term reallocation of current IT professionals and resources with localized or minor interruption of project work and non-mission critical services; the data custodian will be inconvenienced for some hours, but definitely less than one week.

Action: Required action is limited to making the data custodians and their leadership aware of the risk. The risk must be tracked and reviewed at the next risk assessment, or sooner if changes to the likelihood or impact become apparent.

No Risk

 Likelihood: Exploitation of this risk is not expected over the course of a defined time frame. The difficulty or expense of exploitation of the documented vulnerability is beyond most known organized crime groups.

Mission Impact: No noticeable impact to any part of UW-Madison is predicted if the exploitation occurs.

Action: Documentation in the risk register is required. Included the findings of NO RISK for the asset, from the specified threat-vulnerabilty.

The matrix presented is consistent with the NIST Risk Management Framework (RMF) process and FIPS guidance. Generalized presentation of FIPS specific matrix can be found in FIPS 199, February 2004, Table1.

  • The Risk Levels presented here are the standard terms to be used at UW to facilitate improved communication across diverse groups.
  • Risk ratings aid all parties in decision making throughout the RMF process.
  • Typically, the table is not used in isolation: Impact and Likelihood must be defined and assessed. Discussion of these parameters follows.
  • The impact to your group’s mission and the assessment of likelihood of realization of the impact from a threat-vulnerability combination should be tailored to your individual environment and needs.

Risk ratings — calculating meaningful scores

A brief discussion follows, along with some examples. Please consult the UW-Madison Cybersecurity team if a more detailed discussion is needed regarding the development of a tailored impact score matrix, as well as the building of a Risk Register (not shown) from the resulting scoring.

Risk is attributed to assets based on the analysis of multiple factors which influence the Availability, Integrity or Confidentiality (AIC) of the asset. Factors include:

  • Threats posed to that asset
  • The vulnerabilities that expose the asset
  • The impact to any of the UW-Madison mission, values or guiding principles and
  • The likelihood that the availability, integrity or confidentiality of the asset will be compromised through a given vulnerability by a threat actor

In a quasi-equation format:

[Risk(to AIC of an asset), (from a threat-vulnerability pairing)] = [the Likelihood of exploitation in a given time frame] × [the impact of such exploitation]

Or simply,  Risk = Likelihood × Impact

Risk-scoring notes:

  • The cataloging of risk calculations for assets is often accomplished through some tool, such as a spreadsheet, acting as a “Risk Register.” Cybersecurity has a template to get you started.
  • Existing security controls need to be considered when evaluating the likelihood of an event.
  • Similarly, existing controls are considered if they limit the felt Impact to your mission.
  • When a single score is requiring a complex system, the final highest risk level found for all components of the asset is used.
  • Risks of a threat-vulnerability pairing can be evaluated individually for Availability, Integrity and Confidentiality (AIC) of the asset. Similarly, a single risk scoring can consider two of these or all three parameters.

Risk level is influenced by the type of data in question and the volume of data in question. Type and volume are considerations influencing the Impact score.

Campus Risk Executives

UDDS Campus Unit Risk Management Executive
A01 General Education Admin TBD
A02 General Services, AIMS Laurent Heller
A03 Business Services Daniel Langer
A04 Division of Student Life TBD
A05 Enrollment Management Steven Hahn
A06 Division of Information Technology (DoIT) Michael Lehman
A07 College of Agriculture and Life Sciences TBD
A10 International Division TBD
A12 Wisconsin School of Business TBD
A17 School of Education Diana Hess
A18 Arts Institute TBD
A19 College of Engineering TBD
A27 School of Human Ecology TBD
A34 Vice Chancellor for Research & Graduate Education TBD
A40 Nelson Institute for Environmental Studies TBD
A42 Division of Intercollegiate Athletics TBD
A45 Law School Margaret Raymond
A48 College of Letters & Sciences TBD
A49 General Library System TBD
A52 Wisconsin State Lab of Hygiene  Peter Shult
A53 School of Medicine and Public Health Kenneth Mount
A54 School of Nursing TBD
A56 School of Pharmacy TBD
A57 University Health Services TBD
A71 Facilities Planning & Management David Darling
A77 University of Wisconsin Police TBD
A80 Recreational Sports TBD
A85 University Housing TBD
A87 School of Veterinary Medicine TBD
A88 Wisconsin Veterinary Diagnostic Lab TBD
A93 Division of Continuing Studies TBD
A96 Wisconsin Union TBD

Details about RMF process