Risk Assessment Calculator
Calculation of Risk for an organisation is always a very tricky business. Risk score can be calculated to ease the process of determining risk to an organisation. Risk score on a scale of 10 gives a number which projects overall security posture of organisation where a score closer to 10 means bad while closer to 0 means good. So this score should ideally be low which means Risk is low and vice versa. I’ve utilised 16 Factors based on OWASP Risk Rating Framework which gives rating for a specific risk. When this score is calculated for every single Risk, and average is taken we get Risk score and Risk Rating based on it. This score can again be calculated in percentage to give a score which defines how much secure an organisation is in percentage number.
For Example,
a risk rating score of 5.14 means 10–5.14 = 4.86 which means organisation is 48.6% secure & 51.4% under risk.
Factors utilised for Risk Assessment calculators and corresponding metrics with respective risk scores are explained below:
Threat Agent Factors
- Skills required: This metric defines skill level of hacker to exploit a Risk
No skills 10
Some skills 7
Advanced user 5
Network & Programming Skills 4
Security penetration Skills 2
NA 0
2. Motive: Return on effort for a Hacker
High Reward 10
Possible reward 5
No reward 1
NA 0
3. Opportunity: Access level required to exploit a vulnerability
No access or resource required 10
Some access or resource required 8
Special access or resource required 5
Full access or expensive resource required 0
4. Population Size: Target audience and corresponding privileges
Anonymous internet user 10
Authenticated user 7
Partners 6
Intranet user 5
System admin 3
NA 0
Vulnerability Factors
5. Easy of Discovery: Effort required to detect or identify a vulnerability
Automated tools 10
Easy 8
Difficult 4
Impossible 2
NA 0
6. Ease of Exploit: Effort required to perform exploitation of a vulnerability
Automated tools 10
Easy 8
Difficult 4
Theoretical 2
NA 0
7. Awareness: How visible is a vulnerability
Public Knowledge 10
Obvious 7
Hidden 5
Unknown 2
NA 0
8. Intrusion Detection: Can a vulnerability exploitation be detected
Not logged 10
Logged without review 8
Logged and reviewed 4
Active detection in application 2
NA 0
Technical Impact Factors
9. Loss of confidentiality: Extent of confidential data loss
All data disclosed 10
Extensive critical data disclosed 8
Extensive non-sensitive data disclosed 7
minimal non-sensitive data 3
NA 0
10. Loss of Integrity: Extent of compromise in the integrity of data
All data totally corrupt 10
Extensive seriously corrupt data 8
Extensive slightly corrput data 6
Minimal seriously corrupt data 4
Minimal slightly corrupt data 2
NA 0
11. Loss of Availability: Extent of downtime that can be caused by exploit
All services completely lost 10
Extensive primary services interrupted 8
Minimal primary services interrupted 6
Minimal secondary services interrupted 2
NA 0
12. Loss of Accountability: Extent to which attacker can remain hidden
Completely anonymous 10
Attack possibly traceable to individual 8
Attack fully traceable to individual 2
NA 0
Business Impact Factors
13. Financial damage: Extent of monetary loss to an organisation
Bankruptcy 10
significant effect to annual profit 8
minor effect to annual profit 5
damage cost is less than to fix the issue 2
NA 0
14. Reputation damage: Extent of damage to brand value
Brand damage 10
loss of goodwill 6
loss of major account 5
minimal damage 2
NA 0
15. Non-Compliance: Extent to which an exploit can lead to non compliance
High profile violation 10
Clear violation 6
Minimal violation 3
NA 0
16. Privacy violation: Extent to which privacy is compromised with an hack
Millions of people 10
Thousands of people 8
Hundreds of people 6
One individual 4
NA 0
Note: Output from calculation of above metrics would be shown in Matrix below with value to Risk (as explained in example in the beginning).
HTML page for Risk Calculator and source code can be found at ID shown below:
References: https://github.com/SecurityIsIllusion/OWASP_RIsk_Assessment_Calculator
