The OWASP Risk Rating Methodology

https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

Discovering vulnerabilities is important, but being able to estimate the associated risk to the business is just as important. Early in the life cycle, one may
identify security concerns in the architecture or design by using threat modeling. Later, one may find security issues using code review or penetration
testing. Or problems may not be discovered until the application is in production and is actually compromised.

By following the approach here, it is possible to estimate the severity of all of these risks to the business and make an informed decision about what to do
about those risks. Having a system in place for rating risks will save time and eliminate arguing about priorities. This system will help to ensure that the
business doesn't get distracted by minor risks while ignoring more serious risks that are less well understood.

Ideally there would be a universal risk rating system that would accurately estimate all risks for all organizations. But a vulnerability that is critical to one
organization may not be very important to another. So a basic framework is presented here that should be customized for the particular organization.

The authors have tried hard to make this model simple to use, while keeping enough detail for accurate risk estimates to be made. Please reference the
section below on customization for more information about tailoring the model for use in a specific organization.
 Risk: Full database theft from datacenter

Likelihood
Threat agent factors Vulnerability facto

Skill level Motive Opportunity Size Ease of discovery

4 - Special access
4 - Advanced 1 - Low or no or resources
computer user reward required 5 - Partners 3 - Difficult
Overall likelihood: 3.375 MEDIUM

Technical Impact Business Impac

Loss of Loss of Loss of

confidentiality Loss of integrity availability accountability Financial damage

2 - Minimal non- 1 - Less than the

sensitive data 9 - Completely cost to fix the
disclosed 0- 0- anonymous vulnerability
Overall technical impact: 2.750 LOW Overall business impact:
Overall impact: 2.250 LOW

Overall Risk Severity = Likelihood x Impact

HIGH Medium High Critical

MEDIUM Low Medium High
Impact
LOW Note Low Medium
LOW MEDIUM HIGH
Likelihood
 Vulnerability factors
Intrusion
Ease of exploit Awareness detection

3 - Logged and
3 - Difficult 4 - Hidden reviewed
EDIUM

Business Impact

Reputation
damage Non-compliance Privacy violation

1 - Minimal 5 - Hundreds of
damage 0- people
Overall business impact: 1.750 LOW
OW

Likelihood and Impact Levels

0 to <3 LOW
3 to <6 MEDIUM
6 to 9 HIGH
 Skill level Motive Opportunity Size

Full access or expensive

0 resources required

1 No technical skills Low or no reward

Developers, system
2 administrators

3 Some technical skills

Special access or
4 Possible reward resources required Intranet users

5 Advanced computer user Partners

Network and
6 programming skills Authenticated users
Some access or
7 resources required

8
Security penetration No access or resources Anonymous Internet
9 skills High reward required users
Ease of discovery Ease of exploit Awareness Intrusion detection Loss of confidentialit

Active detection in
Practically impossible Theoretical Unknown application

Minimal non-sensitive
data disclosed

Difficult Difficult Logged and reviewed

Minimal critical data

disclosed, extensive non-
Hidden sensitive data disclosed

Extensive critical data

Easy disclosed

Obvious

Easy

Logged without review

Automated tools Automated tools
available available Public knowledge Not logged All data disclosed
Loss of integrity Loss of availability Loss of accountabilityFinancial damage Reputation damage

Minimal slightly corrupt Minimal secondary Less than the cost to fix
data services interrupted Fully traceable the vulnerability Minimal damage

Minimal seriously Minor effect on annual

corrupt data profit

Loss of major accounts

Minimal primary services

interrupted, extensive
Extensive slightly corrupt secondary services
data interrupted Loss of goodwill

Extensive seriously Extensive primary Significant effect on

corrupt data services interrupted Possibly traceable annual profit

All services completely

All data totally corrupt lost Completely anonymous Bankruptcy Brand damage
Non-compliance Privacy violation

Minor violation

One individual

Clear violation Hundreds of people

High profile violation Thousands of people

Millions of people