Book Your Free Consultation
How Mature Is Your DevSecOps?
Begin Your Assessment

Risk Attribute Information

Book Your Free Consultation

Risk for each threat scenario is determined based on two attributes: IMPACT to the business, and LIKELIHOOD of the threat scenario taking place. The rating for each of these attributes were objectively determined based on the guidelines in the sub-sections below. 

Impact

The impact of a threat scenario is the effect it would have on the business in terms of 3 factors: reputational damage, affected users, and financial damage. These are measured as follows:

Reputational Damage

  1. None
  2. Minimum: Negative article on local news – Very limited number of people will care about this – Limited potential for customer loss.
  3. Moderate: Negative article on regional news – Might lose some customers and not able to easily attract new customers.
  4. High: Negative article on national/international news – Tarnish the brand permanently – Lose most customers, very difficult to attract any new customers. World ending situation including fines, contractual breach, lawsuits, etc.

Affected Users

  1. No affected users
  2. Single user can be exploited at a time
  3. Some users of the system or application are impacted
  4. Majority of users impacted

Financial Damage (this is specific per company)

  1. None
  2. Hundreds
  3. Thousands
  4. Millions

Likelihood

The likelihood that a threat scenario would take place is based on 3 factors: reproducibility, exploitability, and discoverability. These are measured as follows:

Reproducibility

Number of conditions that need to be true where the outcome of those conditions is not in control of the attacker or is random.

  1. Too many factors involved or quite a few conditions need to take place
  2. More than one factor is required for the attack to be successful (e.g. user must be logged on + not be security aware)
  3. Only one factor is required for the attack to be successful (e.g. victim/attacker must be logged on)
  4. No factors are required to be true that are random or not under the control of the attacker

Exploitability

This is about the required skills and expertise.

  1. Next to impossible: Even with direct knowledge of the vulnerability we do not see a viable path for exploitation (Only Neo could hack this)
  2. Advanced techniques required: Custom tooling and advanced skills (DEFCON Presenter)
  3. Moderate techniques required: Custom tooling and moderate skills (Average Bug Bounty Participant)
  4. Trivial: Just a web browser or basic/publicly-available tools (Script Kiddie)

Discoverability

  1. Very hard or impossible to discover even given access to source code and privilege access to running systems
  2. Inside knowledge or access to application internals are required to discover the issue
  3. Advanced tools and techniques are required to discover the issue.
  4. Details of faults like this are already in the public domain and can be easily discovered using a search engine. Weakness can be easily discovered by most computer users. The information is visible in the web browser address bar or in a form.
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. We won't track your information when you visit our site. But in order to comply with your preferences, we'll have to use just one tiny cookie so that you're not asked to make this choice again. Privacy Policy