[Owasp-testing] OWASP Risk Rating Methodology

Josh Sokol josh.sokol at owasp.org
Sun Dec 18 21:02:47 UTC 2016


Hey everyone,

Not really sure if this is even the right list so if it belongs elsewhere,
please let me know.  I've been spending some time with the OWASP Risk
Rating Methodology lately for my SimpleRisk tool.  What I've noticed is an
issue in the scoring that creates big issues when trying to
programmatically calculate a risk score.

Take the specified range of 3 to <6 for a Medium Likelihood and Impact.  If
we have a calculated Likelihood and Impact of 3, then Likelihood x Impact =
9.  The OWASP Risk Rating Methodology specifies that a Medium Likelihood
and a Medium Impact should be a Medium overall risk severity.  So, we would
assume that the minimum value for a Medium risk would be a 9.

Now, take the specified range of 0 to <3 for a Low Likelihood and 3 to <6
for a Medium Impact.  If we have a calculated Likelihood of 2 and a
calculated Impact of 5, then Likelihood x Impact = 10.  The OWASP Risk
Rating Methodology  specifies that a Low Likelihood and a Medium Impact
should be a Low overall risk severity.  But, the calculated score is 10,
which is bigger than the 9 we got above, for a lower severity.

The documentation seems to point to the overall risk score being a function
of likelihood x impact, but the methodology clearly does not support that.
Is there another formula that we should be using for this calculation?
Thanks!

~josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20161218/ba08ac98/attachment.html>


More information about the Owasp-testing mailing list