[Owasp-testing] OWASP Risk Rating Methodology

John C. Koen johnkoen at gmail.com
Mon Dec 19 13:14:48 UTC 2016

Hi Josh,

The risk guides that you are comparing, the Overall Risk Severity table
matrix and Risk Model (*Risk = Likelihood * Impact*) formula were not
designed to be in 100% alignment.

The Risk Model formula is more precise in its definition of defining risk
category, especially when dealing with a cusp/boundary number (for example
Impact of 5, which borders becoming a High Impact). The reason the Risk
Model offers greater precision is because it isn't grouping sets of numbers
(e.g. 1-3) into a single Risk category (i.e. Low), provided by the matrix.

Sometimes these Risk numbers are arbitrary or difficult to determine, so
the matrix is provided as a guide to help determine a general Risk stance.
Please keep in mind that determining Risk isn't an exact science, since
every defense architecture utilizes a different set of compensating

Ideally we would always use numbers (for example, if we automate the
calculation), but sometimes words conceptualize more easily [for humans].

Hope this helps,

On Dec 18, 2016 15:03, "Josh Sokol" <josh.sokol at owasp.org> wrote:

Hey everyone,

Not really sure if this is even the right list so if it belongs elsewhere,
please let me know.  I've been spending some time with the OWASP Risk
Rating Methodology lately for my SimpleRisk tool.  What I've noticed is an
issue in the scoring that creates big issues when trying to
programmatically calculate a risk score.

Take the specified range of 3 to <6 for a Medium Likelihood and Impact.  If
we have a calculated Likelihood and Impact of 3, then Likelihood x Impact =
9.  The OWASP Risk Rating Methodology specifies that a Medium Likelihood
and a Medium Impact should be a Medium overall risk severity.  So, we would
assume that the minimum value for a Medium risk would be a 9.

Now, take the specified range of 0 to <3 for a Low Likelihood and 3 to <6
for a Medium Impact.  If we have a calculated Likelihood of 2 and a
calculated Impact of 5, then Likelihood x Impact = 10.  The OWASP Risk
Rating Methodology  specifies that a Low Likelihood and a Medium Impact
should be a Low overall risk severity.  But, the calculated score is 10,
which is bigger than the 9 we got above, for a lower severity.

The documentation seems to point to the overall risk score being a function
of likelihood x impact, but the methodology clearly does not support that.
Is there another formula that we should be using for this calculation?


Owasp-testing mailing list
Owasp-testing at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20161219/95850f9e/attachment.html>

More information about the Owasp-testing mailing list