Security/RiskRatings
< Security
Calculating Risk Ratings
The infrastructure security team calculates risk ratings using a basic methodology capturing the likelihood of a threat becoming a successful attack, and the impact should the attack be completed.
When assessing a threat using the tables below, consider the threat in the context of each of the headings, and score each threat for each column. Select the highest score and record that as the impact or likelihood.
For example, consider
Likelihood
| Likelihood | Probability | Technical |
| 1 | Shouldn't happen | Advanced Attack with requirement of multiple vulnerabilities to exploit |
| 2 | Once every few years | Advanced Attack |
| 3 | Once a year | Moderate difficulty attack vector |
| 4 | Multiple times a year | Common attack vector, requires manual exploit creation |
| 5 | Ongoing issue | Common attack vector, easy to mount with available tools |
Impact
The impact of a finding is the potential outcome if the threat is realized. This is used to determine how individual threats
| Impact | Operational | User | Privacy | Financial | Legal | Engineering | Reputation |
| 1 | Ops Team Notified | Browser crashes | Unresolved privacy issues inline with Privacy Policy | Low cost to remediate | Minor Code Changes Required | Negative comments from stakeholders | |
| 2 | Minor Outage, in line with SLAs | User behaviour can be trended | Minor concerns over Privacy issues | Director approval to pay cost to remediate | Negative comments from community members | ||
| 3 | Moderate Outage, complaints from users | Specific information about specific users can be obtained | Moderate concerns over Privacy issues | Requires budget changes to remediate | Negative comments from user base | ||
| 4 | Significant Outage (intl store) | The ability to execute scripts and code that is sandboxed on the users device | Violation of Privacy Policy | Requires Board review to pay for remediation | Negative press in industry media | ||
| 5 | Service will be mothballed. | Complete control over the users device | Violation of Privacy Policy with Production Data | Extreme cost for remediation (e.g. MoCo/Mofo can't afford to) | Complete redesign and rewrite | Negative press in mainstream media |