Today I worked on my security model. I spent a good amount of time creating goals and creating risks. OWASP Risk Rating Mehodology has some pretty good insights on how to rank different threats based on probability and business impact. Probability is calculated according to how exploitable, common, and detectable the attack is. The business impact is based on how much damage the attack could do to the business.
The risk = probability x impact.
Here is an example using a 0-10 scale:Lets calculate the risk for the attack: SQL Injection for lds.org (Note that this threat falls under the threat category: Injection from the OWASP Top 10:
1. Calculate Probability using the threat category.
The formula for calculating the probability would be the average: (10 x 8 x 8) / 3 ≈ 9
| Exploitable | Common | Detectable |
| 10 | 8 | 8 |
2. Calculate the Business Impact. Because lds.org does not use MySQL the impact is NA or 0. Risk = (Probability x Impact) / 10.
Risk of SQL Injection = (9 x 0) / 10 = 0
As you can see, even though Injection [Risk – D] has a high risk,
SQL Injection (Risk – A) has a low risk associated with lds.org because of the business impact.