[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

rick.mitchell at bell.ca rick.mitchell at bell.ca
Mon Aug 19 16:47:44 UTC 2013

I just had a client ask about: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology

It seems at some point in the last two years that the skill level ratings have been reversed. Such that a skilled attacker has a lower rating that an unskilled attacker. This doesn't make any logical sense. 

At a high level the wiki defines "Risk = Likelihood * Impact"

If Threat Agent goes towards the Likelihood part of the calculation a skilled individual should be of greater concern than an unskilled individual. If one's "most likely" attacker is skilled then their risk should be higher than if their "most likely" attacker is unskilled. So someone with "Security penetration skills" should be a 9 not a 1 (raising the risk calc)... On the flip side someone with "no technical skills" should be a 1 not a 9 (thus reducing my risk calc). 

>From the wiki page:
"The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.

Skill level
    How technically skilled is this group of threat agents? Security penetration skills (1), network and programming skills (3), advanced computer user (4), some technical skills (6), no technical skills (9)"

Further down the page: "Then you simply take the average of the scores to calculate the overall likelihood."

So using the numbers in the wiki table you come up with 4.375, if you increase the skill level value (thus decreasing the attacker's actual skill as defined earlier in the page) your risk rating is increased:
9|2|7|1|3|6|9|2 = AVG of 4.875 (where 9 is defined as unskilled) which would pull your whole risk rating for an issue up.
1|2|7|1|3|6|9|2 = AVG of 3.875 (where 1 is defined as highly skilled) which would drag your whole risk rating for an issue down.

Is the methodology trying to state that you're unlikely to be attacked by skilled individuals? Wouldn't that be a function of motivation or opportunity not skill? Meaning that while a highly skilled individual might pose greater risk from a skill perspective they may not be motivated or have opportunity to carry out and exploit of the issue in question.


Rick Mitchell 
Security Analyst, Security Testing and Incident Response Team
Bell Business Markets
Phone: 613-785-4019
Email: rick.mitchell at bell.ca

More information about the Owasp-testing mailing list