OWASP Risk Rating Methodology

Risk is typically defined as a product of the effective Threat, Vulnerability and associated Cost of recovery. For the purposes of a Security Assessment, OWASP defines the risk associated with a security finding as a product of the impact, ease of exploitation, exposure and nominal value of the asset.

Risk = Impact x Ease of Exploitation x Exposure x Nominal Value

In breaking down the security findings in this way, they and their implications may be better evaluated, prioritised and managed.

Impact is taken as a measure of the implications on the discrete component should it be compromised. This is taken out of the context of the nature of the application or host (e.g. server, firewall or workstation), and regardless of the type of data stored on it.

The threat component is in part measured through Ease of Exploitation which quantifies the potential of an attacker taking advantage of the flaw to violate system integrity.

Exposure quantifies the likelihood that the vulnerability can be compromised through its availability. For example, an easily exploited vulnerability on an Internet facing host would be highly exposed, and therefore very likely to be compromised. An internal host with a vulnerability that was difficult to exploit would present a much lower threat. For example, a vulnerability on an Internet facing host would be highly exposed, and therefore very likely to be compromised. An internal host with the same vulnerability would present a much lower threat.

The final part of the risk equation is the Nominal Value of the elements in your environment, based on the importance of the system and its data. The testing team can estimate the importance of the host based on information given and the context, but clients are encouraged to consider the importance of hosts based on business criteria & asset value.

Risk Categories:

Impact (imp) critical high medium low

Ease of Exploitation (EoE) Easy Moderate Difficult

Exposure (Exp) Very high High Medium Low

Nominal Value (Val) High Medium Low

Putting this into practice looks like

Vulnerability found: Session handling inadequate Imp: Medium EoE: Moderate Exp: Very High Val: High

OWASP Testing Guide v2 Table of Contents