This is a simple mechanism to increase visibility of risks and assist management decision making.
In practice, the risk matrix is a useful approach where either the probability or the harm severity cannot be estimated with accuracy and precision.
US DoD, NASA, ISO),[2][3][4] individual projects and organizations may need to create their own or tailor an existing risk matrix.
[7] A 5 x 4 version of the risk matrix was defined by the US Department of Defense on March 30 1984, in "MIL-STD-882B System Safety Program Requirements".
[8][9] The risk matrix was in use by the acquisition reengineering team at the US Air Force Electronic Systems Center in 1995.
Rankings depend upon the design of the risk matrix itself, such as how large the bins are and whether or not one uses an increasing or decreasing scale.
[citation needed] Douglas W. Hubbard and Richard Seiersen take the general research from Cox, Thomas, Bratvold, and Bickel, and provide specific discussion in the realm of cybersecurity risk.