[Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology

Chris Cooper chris.cooper at owasp.org
Thu Jul 13 00:40:47 UTC 2017

To me, this argument depends on whether we are rating risks or
vulnerabilities (spoiler: this is a risk rating methodology).

Risks encompass vulnerabilities, but they also include the threat and
impact. Because we are working with a particular threat (maybe
worst-case-scenario), I think the existing system makes perfect sense. The
more skilled the threat actor is, the higher the risk. We're not talking
about how skilled a generic actor needs to be, we're talking about how
skilled they are, and whether they are skilled enough. I think the former
is irrelevant considering that the threat is already established.

If we were talking about how severe a vulnerability is, regardless of the
threat or the business impact, then I see the point being made here. If we
don't have a specific threat in mind, we should hinge on the ease of
exploitation (which RRM includes within the vulnerability factors already).
But I think this is a separate rating system, or reduced subset of RRM, not
an indication that the RRM is incorrect.


On Wed, Jul 12, 2017 at 7:27 PM, R M <kingthorin at hotmail.com> wrote:

> I've always interpreted this in completely the opposite manner. If Threat
> Agent goes towards the Likelihood part of the calculation a skilled
> individual should be of greater concern than an unskilled individual.
> "Note that there may be multiple threat agents that can exploit a
> particular vulnerability, so it's usually best to use the worst-case
> scenario."
> There has been lengthy discussion of this in the past as well, see this
> thread from Aug 2013: http://lists.owasp.org/pipermail/owasp-testing/2013-
> August/002177.html
> Rick
> -----
> Pichaya Morimoto pichaya at ieee.org
> Mon Jun 5 06:11:34 UTC 2017
>     Next message: [Owasp-testing] Threat Agent Factors in OWASP Risk
> Rating Methodology
>     Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Hi guys,
> It seems that the OWASP RMM formula is incorrect.
> "Skill level
> How technically skilled is this group of threat agents? Security
> penetration skills (9), network and programming skills (6), advanced
> computer user (5), some technical skills (3), no technical skills (1)"
> https://www.owasp.org/index.php/OWASP_Risk_Rating_
> Methodology#Threat_Agent_Factors
> If a vulnerability requires skilled threat actors.. that means it is
> unlikely that the vulnerability can be exploited so the likelihood should
> go down by the skill level factor.
> In short, skill level = level of skills required to perform the attack.
> 9 Highly skilled required = low risk (1) because the flaw is limited by the
> number of good attackers.
> 1 No technical skills required = high risk (9)  since everyone can attack
> the vulnerability... it is likely that the vulnerability will be exploited
> at any given time.
> You can't say that if the attacker is so good than the risk of
> vulnerability will get higher because
> 1. We are talking about the risk of a particular vulnerability, not the
> risk of a threat agent here.
> 2. Also, you cannot limit the skill of the attackers that could exploit the
> vulnerability as well (but yes, the intranet users are probably not as good
> as attackers from the internet?).
> 3. The skill level is a subsection of likelihood factor not impact factor !
> Do not confuse impact of skill levels and possibility of being attacked by
> the attacker with a given skill level.
> I hope this will be fixed ASAP to make it more reasonable with the risk
> rating scenarios.
> Many thanks.
> _______________________________________________
> Owasp-testing mailing list
> Owasp-testing at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-testing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170713/69fd4229/attachment.html>

More information about the Owasp-testing mailing list