How to Calculate Web Security Risk
Before we discuss how we can calculate security risk, we must know risk calculation models first. There are many models for calculating risk in the area of IT security. What follows is a selection of the better-known risk-analysis methodologies or tools.
- CRAMM: An acronym standing for the “CTCA risk analysis and management method,” it refers to a process of analysis that combines assets, threats, and vulnerabilities to evaluate risk and come up with a list of countermeasures.
- DREAD: “Damage, reproducibility, exploitability, affected users, discoverability” is a Microsoft model focused on vulnerabilities and their outcomes. DREAD comes with a scoring plan that makes creating a quantitative DREAD score straightforward and less qualitative.
- STRIDE: “Spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege” is a model focused on types of threats.
- FRAP: The “facilitated risk analysis process” is a type of qualitative risk analysis focused on organizing teams from business units in order to address security.
- OCTAVE Allegro: Developed by CERT, “operationally critical threat, asset and vulnerability evaluation” is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. There are two versions of OCTAVE: full OCTAVE for large organizations and OCTAVE-S for small organizations.
- Spanning Tree Analysis: This is a technique for creating a “tree” of all possible threats to a system.
For example, we will discuss more detail in the DREAD model.
DREAD Security Model
The DREAD model is a widely used methodology for calculating the degree of risk presented by a threat. It involves attaching a numeric score to five risk variables and then calculating another score for a particular threat. Information about DREAD is available on the Open Web Application Security Project (OWASP) web page (www.owasp.org).
The five variables for calculating risk in the DREAD model are:
- Damage potential: Assesses how much damage an exploited vulnerability could cause. The more damage, the higher the risk.
- Reproducibility: Determines the degree of difficulty of reproducing or making an exploit happen. The easier the reproduction, the higher the risk.
- Exploitability: Evaluates the degree of expertise, time, and tools needed to execute the exploit. The easier the process, the higher the risk.
- Affected users: Calculates the number and importance of users that could be affected. The larger the number and the higher the importance, the higher the risk.
- Discoverability: Assesses the ease of identifying the threat, which might range from one that is obvious and is shown in a web browser address bar to one that is not documented and is very difficult to detect. The more difficult to detect, the higher the risk.
You then assign one of the following values to each of the five variables to get a clear indication of the security posture:
- 0 = Nothing
- 5 = Medium risk description
- 10 = High risk description
An example is a cross-site scripting vulnerability, whose DREAD score may be:
Damage potential: 10
Reproducibility: 5
Exploitability: 10
Affected users: 10 (not mean only 10 users, its describe have a lot of users affected)
Discoverability: 5
Total score: 40
In this case, the reader can infer from the high total score that the vulnerability has great large damage potential to a great number of users and should be mitigated immediately.
