Security/RiskRatings
< Security
| Likelihood | Probability | Technical |
| 1 | Shouldn't happen | Advanced Attack with requirement of multiple vulnerabilities to exploit |
| 2 | Once every few years | Advanced Attack |
| 3 | Once a year | Moderate difficulty attack vector |
| 4 | Multiple times a year | Common attack vector, requires manual exploit creation |
| 5 | Ongoing issue | Common attack vector, easy to mount with available tools |
Impact
The impact of a finding is the potential outcome if the threat is realized. This is used to determine how individual threats
| Impact | Operational | User | Privacy | Financial | Legal | Engineering | Reputation |
| 1 | Ops Team Notified | Browser crashes | Unresolved privacy issues inline with Privacy Policy | Low cost to remediate | Minor Code Changes Required | Negative comments from stakeholders | |
| 2 | Minor Outage, in line with SLAs | User behaviour can be trended | Minor concerns over Privacy issues | Director approval to pay cost to remediate | Negative comments from community members | ||
| 3 | Moderate Outage, complaints from users | Specific information about specific users can be obtained | Moderate concerns over Privacy issues | Requires budget changes to remediate | Negative comments from user base | ||
| 4 | Significant Outage (intl store) | The ability to execute scripts and code that is sandboxed on the users device | Violation of Privacy Policy | Requires Board review to pay for remediation | Negative press in industry media | ||
| 5 | Service will be mothballed. | Complete control over the users device | Violation of Privacy Policy with Production Data | Extreme cost for remediation (e.g. MoCo/Mofo can't afford to) | Complete redesign and rewrite | Negative press in mainstream media |