Risk Rating Tool

Compute risk severity based on OWASP methodology

Likehood	()
Threat agent factors	()
Skill Level	0. 1. No technical skills 2. 3. Some technical skills 4. 5. Advanced computer user 6. Network and programming skills 7. 8. 9. Security penetration skills
Motive	0. 1. Low or no reward 2. 3. 4. Possible reward 5. 6. 7. 8. 9. High reward
Opportunity	0. Full access or expensive resources required 1. 2. 3. 4. Special access or resources required 5. 6. 7. Some access or resources required 8. 9. No access or resources required
Size	0. 1. 2. Developers, system administrators 3. 4. Intranet users 5. Partners 6. Authenticated users 7. 8. 9. Anonymous Internet users
Vulnerability factors	()
Ease of discovery	0. 1. Practically impossible 2. 3. Difficult 4. 5. 6. 7. Easy 8. 9. Automated tools available
Ease of exploit	0. 1. Theoretical 2. 3. Difficult 4. 5. Easy 6. 7. 8. 9. Automated tools available
Awareness	0. 1. Unknown 2. 3. 4. Hidden 5. 6. Obvious 7. 8. 9. Public knowledge
Intrusion detection	0. 1. Active detection in application 2. 3. Logged and reviewed 4. 5. 6. 7. 8. Logged without review 9. Not logged
Impact	()
Technical Impact	()
Loss of confidentiality	0. 1. 2. Minimal non-sensitive data disclosed 3. 4. Minimal critical data disclosed, extensive non-sensitive data disclosed 5. Extensive critical data disclosed 6. 7. 8. 9. All data disclosed
Loss of integrity	0. 1. Minimal slightly corrupt data 2. 3. Minimal seriously corrupt data 4. 5. Extensive slightly corrupt data 6. 7. Extensive seriously corrupt data 8. 9. All data totally corrupt
Loss of availability	0. 1. Minimal secondary services interrupted 2. 3. 4. 5. Minimal primary services interrupted, extensive secondary services interrupted 6. 7. Extensive primary services interrupted 8. 9. All services completely lost
Loss of accountability	0. 1. Fully traceable 2. 3. 4. 5. 6. 7. Possibly traceable 8. 9. Completely anonymous
Business Impact	()
Financial damage	0. 1. Less than the cost to fix the vulnerability 2. 3. Minor effect on annual profit 4. 5. 6. 7. Significant effect on annual profit 8. 9. Bankruptcy
Reputation damage	0. 1. Minimal damage 2. 3. 4. Loss of major accounts 5. Loss of goodwill 6. 7. 8. 9. Brand damage
Non-compliance	0. 1. 2. Minor violation 3. 4. 5. Clear violation 6. 7. High profile violation 8. 9.
Privacy violation	0. 1. 2. 3. One individual 4. 5. Hundreds of people 6. 7. Thousands of people 8. 9. Millions of people