Impact, Likelihood and Risk Rating
The first step is to identify a security risk that needs to be rated. The risk assessor needs to gather information about the threat agent involved, the attack that will be used, the vulnerability involved, and the impact of a successful exploit on the business. There may be multiple possible groups of attackers, or even multiple possible business impacts. In general, it’s best to err on the side of caution by using the worst-case option, as that will result in the highest overall risk.
There are a number of factors that can help determine the likelihood. The first set of factors are related to the threat agent involved. The goal is to estimate the likelihood of a successful attack from a group of possible attackers. Note that there may be multiple threat agents that can exploit a particular vulnerability, so it’s usually best to use the worst-case scenario. For example, an insider may be a much more likely attacker than an anonymous outsider, but it depends on a number of factors.
Note that each factor has a set of options, and each option has a likelihood rating from 0 to 9 associated with it. These numbers will be used later to estimate the overall likelihood.
The first set of factors are related to the threat agent involved. The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.
Threat Agent Factors
How technically skilled is this group of threat agents? Security penetration skills (9), network and programming skills (6), advanced computer user (5), some technical skills (3), no technical skills (1)
How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)
What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability? Full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)
How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)
The next set of factors are related to the vulnerability involved. The goal here is to estimate the likelihood of the particular vulnerability involved being discovered and exploited. Assume the threat agent selected above.
Ease of Discovery
How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)
Ease of Exploit
How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)
How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)
How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)
The overall Likelihood rating could be determined by taking the average of all factors. Based on the average score, you can map it to a single likelihood rating by using the below table:
The business impact requires a deep understanding of what is important to the company running the application. The business risk is what justifies investment in fixing security problems.
How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)
Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)
How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7)
How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)
The overall Business Impact rating could be determined by taking the average of all factors. Based on the average score, you can map it to a single impact rating by using the below table:
Risk Rating Presentation
The old adage mentions that Risk = Impact * Likelihood. Even though this is true, a mathematical multiplication of compartmentalized Impact and Likelihood ratings often gives a Risk Rating which does not reveal the actual gravity behind the risk.
The best way to present the gravity of a risk seems to be to explain the Business Impact of the risk along the lines of below four factors, as this is what a Business Owner can directly relate to:
- Financial Damage
- Reputation Damage
- Privacy Violation
The likelihood of the risk taking place is best explained through the five levels and their real life examples:
- Certain – Toe Injury
- Likely – Fall
- Possible – Major Car Accident
- Unlikely – Aircraft Crash
- Rare – Major Tsunami
An excel guide to help arrive at the likelihood rating and optionally, the impact rating is available at: https://github.com/GreenDiary/risk_assessment_best_practices/blob/master/OWASP_Risk_Rating_Methedology_v0.02.xlsx