[Owasp-testing] Are the Risk Rating Wiki Pages Broken?

Christian Heinrich christian.heinrich at cmlh.id.au
Thu Aug 22 03:41:19 UTC 2013


I believe based the conclusion drawn from the thread in May 2013
(which begins at
was to deprecated the OWASP Risk Rating Methodology for CVSSv3.

The latest on public announcement on it's (CVSSv3) ongoing development
is http://www.first.org/_assets/downloads/cvss/cvss-v3-development-update.pdf

On Tue, Aug 20, 2013 at 2:47 AM, rick.mitchell at bell.ca
<rick.mitchell at bell.ca> wrote:
> I just had a client ask about: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
> It seems at some point in the last two years that the skill level ratings have been reversed. Such that a skilled attacker has a lower rating that an unskilled attacker. This doesn't make any logical sense.
> At a high level the wiki defines "Risk = Likelihood * Impact"
> If Threat Agent goes towards the Likelihood part of the calculation a skilled individual should be of greater concern than an unskilled individual. If one's "most likely" attacker is skilled then their risk should be higher than if their "most likely" attacker is unskilled. So someone with "Security penetration skills" should be a 9 not a 1 (raising the risk calc)... On the flip side someone with "no technical skills" should be a 1 not a 9 (thus reducing my risk calc).
> From the wiki page:
> "The goal here is to estimate the likelihood of a successful attack by this group of threat agents. Use the worst-case threat agent.
> Skill level
>     How technically skilled is this group of threat agents? Security penetration skills (1), network and programming skills (3), advanced computer user (4), some technical skills (6), no technical skills (9)"
> Further down the page: "Then you simply take the average of the scores to calculate the overall likelihood."
> So using the numbers in the wiki table you come up with 4.375, if you increase the skill level value (thus decreasing the attacker's actual skill as defined earlier in the page) your risk rating is increased:
> 9|2|7|1|3|6|9|2 = AVG of 4.875 (where 9 is defined as unskilled) which would pull your whole risk rating for an issue up.
> 1|2|7|1|3|6|9|2 = AVG of 3.875 (where 1 is defined as highly skilled) which would drag your whole risk rating for an issue down.
> Is the methodology trying to state that you're unlikely to be attacked by skilled individuals? Wouldn't that be a function of motivation or opportunity not skill? Meaning that while a highly skilled individual might pose greater risk from a skill perspective they may not be motivated or have opportunity to carry out and exploit of the issue in question.

Christian Heinrich


More information about the Owasp-testing mailing list