Security/RiskRatings
This document is under construction
Calculating Risk Ratings
The infrastructure security team calculates risk ratings using a basic methodology capturing the likelihood of a threat becoming a successful attack, and the impact should the attack be completed.
When assessing a threat using the tables below, consider the threat in the context of each of the headings, and score each threat for each column. Select the highest score and record that as the impact or likelihood.
Example
Consider the threat "URL Shorteners get a copy of URLs shared by F1 Users" from the Mozilla F1 security review.
Looking at the Likelihood table we see:
- Probability is 5 since it is already happening (Ongoing Issue)
- Technical is also 5 since URL shorteners are relatively easy to enumerate
Going to the Impact table we see that:
- Operational impact is zero since it has not effect on the stability of the service
- User impact is 2 since user behaviour can be trended.
- Privacy impact is 4 since sharing information with 3rd parties is a violation of our privacy policies.
- Financial impact is 1 since it is extremely low cost to resolve the issue
- Engineering impact is 3 since replacing the functionality requires authoring new software.
- Reputation impact is 3 since there may be negative comments from our users who do not wish to use the shortening service
The highest Likelihood score is 5, and the highest impact score is 4 (Privacy).
To calculate the risk score simply multiply the likelihood by the impact, in the case of the issue discussed above, the Risk Rating would be 20.
Likelihood
| Likelihood | Probability | Technical |
| 1 | Shouldn't happen | Advanced Attack with requirement of multiple vulnerabilities to exploit |
| 2 | Once every few years | Advanced Attack |
| 3 | Once a year | Moderate difficulty attack vector |
| 4 | Multiple times a year | Common attack vector, requires manual exploit creation |
| 5 | Ongoing issue | Common attack vector, easy to mount with available tools |
Impact
The impact of a finding is the potential outcome if the threat is realized. The table below indicates the severity of the impact and what that means across several domains within an organization.
| Impact | Operational | User | Privacy | Financial | Engineering | Reputation |
| 1 | Ops Team Notified | Browser crashes | Unresolved privacy issues inline with Privacy Policy | Low cost to remediate | Platform or Application configuration changes needed. | Negative comments from stakeholders |
| 2 | Minor Outage, in line with SLAs | User behaviour can be trended | Minor concerns over Privacy issues | Director approval to pay cost to remediate | Multiple bug fixes and changes required. | Negative comments from community members |
| 3 | Moderate Outage, complaints from users | Specific information about specific users can be obtained | Moderate concerns over Privacy issues | Requires budget changes to remediate | New development required to resolve issues. | Negative comments from user base |
| 4 | Significant Outage (intl store) | The ability to execute scripts and code that is sandboxed on the users device | Violation of Privacy Policy | Requires Board review to pay for remediation | Reimplementation of core components required. | Negative press in industry media |
| 5 | Service will be mothballed. | Complete control over the users device | Violation of Privacy Policy with Production Data | Extreme cost for remediation (e.g. MoCo/Mofo can't afford to) | Complete redesign and rewrite | Negative press in mainstream media |
Risk Rating Methodologies Used Elsewhere
DREAD from Microsoft (blog post) Uses five categories:
- Damage - how bad would an attack be?
- Reproducibility - how easy it is to reproduce the attack?
- Exploitability - how much work is it to launch the attack?
- Affected users - how many people will be impacted?
- Discoverability - how easy it is to discover the threat?
When a given threat is assessed using DREAD, each category is given a rating. For example, 3 for high, 2 for medium, 1 for low and 0 for none. The sum of all ratings for a given exploit can be used to prioritize among different exploits.
OWASP Risk Rating Methodology Similar to Yvan's in that it uses Risk = Likelihood * Impact but produces a rating from 0 to 9 (or three groups 1-3, 4-6, 7-9 which equate to Low, Medium, and High).