[Owasp-testing] Defining Risk
daniel.cuthbert at owasp.org
Sun Dec 17 07:48:10 EST 2006
I've spent today looking at what has been written so far and I feel
we are venturing into some dangerous territory with what we are
We need a easy to use, and understand, method of defining risk and
the one we have at the moment will cause more confusion than good.
The section on Quantitative Risk Calculation seems to be heavily
based upon some complex mathematical formula, but does anyone
honestly know how to do this?
I've shown this to a number of pentesters and colleagues and they all
agree that they would not use the above approach as it's overly
More information about the Owasp-testing