owasp-risk | KSCSC Blog

[-] THREAT AGENT FACTORS —

// What is a Threat Agent?

A threat agent is any entity (person, group, tool) that could exploit a vulnerability. These factors estimate who is likely to attack and how motivated and capable they are. Higher values = easier/more likely attack.

Skill Level — technical expertise of the threat agent.
Motive — incentive to find and exploit the vulnerability.
Opportunity — access required (lower score = harder to reach).
Size — size of the group of possible attackers.

Skill Level

Motive

Opportunity

Size

[-] VULNERABILITY FACTORS —

// What are Vulnerability Factors?

These describe how easy it is to discover and exploit the specific vulnerability, and how likely an attack would be detected. They represent the vulnerability itself, independent of the threat agent. Higher values = easier to exploit.

Ease of Discovery — how easy is it to find this vulnerability?
Ease of Exploit — how easy is it to actually exploit it?
Awareness — how well-known is this vulnerability type?
Intrusion Detection — how likely is exploitation to be detected?

Ease of Discovery

Ease of Exploit

Awareness

Intrusion Detection

[-] TECHNICAL IMPACT —

// What is Technical Impact?

Technical impact measures the effect of a successful exploit on the CIA triad (Confidentiality, Integrity, Availability) and on Accountability. Scores follow the CVSS-style semantics — estimate the worst case realistic outcome, not just the theoretical maximum.

Loss of Confidentiality — how much data is exposed and how sensitive?
Loss of Integrity — can data be modified? How severely?
Loss of Availability — are services disrupted? Which ones?
Loss of Accountability — can attacker actions be traced?

Loss of Confidentiality

Loss of Integrity

Loss of Availability

Loss of Accountability

[-] BUSINESS IMPACT —

// What is Business Impact?

Business impact builds on technical impact and reflects consequences for the organization — financial losses, brand damage, regulatory penalties, and privacy breaches. If business impact is well-understood, OWASP recommends using it as the primary driver of the final risk rating.

Financial Damage — direct monetary loss from exploitation.
Reputation Damage — harm to brand, trust, and customer relationships.
Non-Compliance — severity of regulatory or legal violations (GDPR, NIS2…).
Privacy Violation — scale of personal data exposure.

Financial Damage

Reputation Damage

Non-Compliance

Privacy Violation

[ RISK ASSESSMENT ]

[ REFERENCES ]

// Risk Matrix

The final risk level is determined by the OWASP risk matrix:

  Likelihood \ Impact   LOW       MEDIUM    HIGH
  ─────────────────────────────────────────────
  LOW                   NOTE      LOW       MEDIUM
  MEDIUM                LOW       MEDIUM    HIGH
  HIGH                  MEDIUM    HIGH      CRITICAL

Impact score = max(Technical, Business). Likelihood score = avg(Threat Agent, Vulnerability).

// Official Documentation

OWASP Risk Rating Methodology — primary reference for this calculator.
OWASP Threat Modeling Cheat Sheet — how to identify threat agents and attack scenarios.
OWASP Risk Assessment Framework (RAF) — extended tooling for risk management programs.
NIST CVSS Calculator — complementary scoring system (compare with OWASP Risk Rating).

root@kscsc:~# owasp-risk