Security Risk Scoring

2009 Jun 17

A universal application risk scoring system

  1. is public (and not proprietary)
  2. takes into consideration things like potential damage, reproducibility, expoloitability, affected users and discoverability (see DREAD model for details), but be more specific and accurate when it comes to risk quantification.
  3. does not rely much on knowing the absolute value of assets or the value of loss if a system is compromised - normalization by maximum possible loss is needed
  4. is simple and easily understood, with minimal subjectivity
  5. is not solely based on vulnerability types, because the same type of vulnerabilities (XSS, SQL injections, CSRF, etc.) could have high impact or no impact at all, depending on the application, data, business use cases, etc
  6. needs a large dynamic range such as (1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000, 1000000000) because it needs to quantify such things from various viewpoints such as: compromised data, i.e. data stolen or destroyed (deleted or modified).

Destroyed data, is presumably backed up some how, so the "cost" is the time to restore it, and the work to block the attack which did compromise it in the first place so it cannot happen again. Stolen data is more serious and the data itself needs to have a weight on the impact of its being stolen.

There is still possible incompatibilities of when to chose high coast/risk weight, but guidelines can be created of that with objective formulas.

Some losses could put a company out of business because no customer can trust them anymore, while others would just have a range of cost (which may or may not put the out of business).

Precision is needed in any security model. Everything involved in a secure context is domain specific. The boundaries of the security model have to be well defined.

See spec references for two (2) csrc.nist.govNIST scoring systems:

See also: Data Loss Cost Calculator