[Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology

Bernd Eckenfels bernd-2017 at eckenfels.net
Thu Jul 13 01:15:12 UTC 2017

Yes it might make sense if one wants to derive the risk for a certain assumed attacker. However this is one of the least objective thread agent measurements (size and opportunity depend on the attack vector, motivation depends on themestimated value, only for the skill level you would have to assume worst case).
I think the (inverse) skill level is covered by motivation and ease of exploit/discovery, so we could keep it simple.
But maybe the discussion is moot and making the methodology less formal to avoid misleading systematic looking numbers would help here. And as long as the wiki is dead we can't improve it anyway.


On Thu, Jul 13, 2017 at 2:41 AM +0200, "Chris Cooper" <chris.cooper at owasp.org> wrote:

To me, this argument depends on whether we are rating risks or vulnerabilities (spoiler: this is a risk rating methodology).
Risks encompass vulnerabilities, but they also include the threat and impact. Because we are working with a particular threat (maybe worst-case-scenario), I think the existing system makes perfect sense. The more skilled the threat actor is, the higher the risk. We're not talking about how skilled a generic actor needs to be, we're talking about how skilled they are, and whether they are skilled enough. I think the former is irrelevant considering that the threat is already established.
If we were talking about how severe a vulnerability is, regardless of the threat or the business impact, then I see the point being made here. If we don't have a specific threat in mind, we should hinge on the ease of exploitation (which RRM includes within the vulnerability factors already). But I think this is a separate rating system, or reduced subset of RRM, not an indication that the RRM is incorrect.

On Wed, Jul 12, 2017 at 7:27 PM, R M <kingthorin at hotmail.com> wrote:

I've always interpreted this in completely the opposite manner. If Threat Agent goes towards the Likelihood part of the calculation a skilled individual should be of greater concern than an unskilled individual.

"Note that there may be multiple threat agents that can exploit a particular vulnerability, so it's usually best to use the worst-case scenario."

There has been lengthy discussion of this in the past as well, see this thread from Aug 2013:




Pichaya Morimoto pichaya at ieee.org

Mon Jun 5 06:11:34 UTC 2017

    Next message: [Owasp-testing] Threat Agent Factors in OWASP Risk Rating Methodology

    Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi guys,

It seems that the OWASP RMM formula is incorrect.

"Skill level

How technically skilled is this group of threat agents? Security

penetration skills (9), network and programming skills (6), advanced

computer user (5), some technical skills (3), no technical skills (1)"


If a vulnerability requires skilled threat actors.. that means it is

unlikely that the vulnerability can be exploited so the likelihood should

go down by the skill level factor.

In short, skill level = level of skills required to perform the attack.

9 Highly skilled required = low risk (1) because the flaw is limited by the

number of good attackers.

1 No technical skills required = high risk (9)  since everyone can attack

the vulnerability... it is likely that the vulnerability will be exploited

at any given time.

You can't say that if the attacker is so good than the risk of

vulnerability will get higher because

1. We are talking about the risk of a particular vulnerability, not the

risk of a threat agent here.

2. Also, you cannot limit the skill of the attackers that could exploit the

vulnerability as well (but yes, the intranet users are probably not as good

as attackers from the internet?).

3. The skill level is a subsection of likelihood factor not impact factor !

Do not confuse impact of skill levels and possibility of being attacked by

the attacker with a given skill level.

I hope this will be fixed ASAP to make it more reasonable with the risk

rating scenarios.

Many thanks.


Owasp-testing mailing list

Owasp-testing at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20170713/524e244a/attachment-0001.html>

More information about the Owasp-testing mailing list