[Owasp-testing] Defining Risk

Daniel Cuthbert daniel.cuthbert at owasp.org
Sun Dec 17 07:48:10 EST 2006

I've spent today looking at what has been written so far and I feel  
we are venturing into some dangerous territory with what we are  
We need a easy to use, and understand, method of defining risk and  
the one we have at the moment will cause more confusion than good.


The section on Quantitative Risk Calculation seems to be heavily  
based upon some complex mathematical formula, but does anyone  
honestly know how to do this?

I've shown this to a number of pentesters and colleagues and they all  
agree that they would not use the above approach as it's overly  


More information about the Owasp-testing mailing list