Security Risk Assessment in Web Application Security

By | December 20, 2005

Security risk assessment and security risk management have become vital tasks for security officers and IT managers. Corporations face increased levels of risk almost daily: from software vulnerabilities hidden in their business-technology systems to hackers and cyber crooks trying to steal proprietary corporate intellectual property, including sensitive customer information. An ever-growing list of government regulations aimed to ensure the confidentiality, integrity, and availability of many types of financial and health-related information also is increasing IT risks and making a comprehensive security risk assessment a modern day corporate necessity.

But how do organizations perform an accurate security risk assessment of their IT systems and the critical information they store? Risk surrounds us everyday in the physical world, and we take precautions to mitigate those risks: everything from wearing seat belts to purchasing life insurance. But it´s not so easy to comprehend Web security risk management: How much does it actually cost a company when a Web server is breached, or if an attack disrupts the availability of critical Web systems? What are the costs associated with a hacker or competitor snatching proprietary information or customer lists from an insecure Web server? How Web security risk management is performed depends entirely on knowing the answers to these questions.

The Security Risk Assessment Equation

Such risks can be seen more clearly through the following simple equation that quantifies a security risk assessment:

Risk = Value of the Asset x Severity of the Vulnerability x Likelihood of an Attack

In this equation, you can provide a weighting of 1-10 (10 being the most severe or highest) for each risk factor. By multiplying the factors, it’s easy to arrive at an aggregate security risk assessment for any asset. Let’s take an everyday example: we have an e-commerce server that performs 40 percent of all customer transactions for the organization, and it has a very severe and easy-to-exploit vulnerability:

E-commerce Server Risk = 10 (Value of the Asset) x 10 (Severity of the Vulnerability) x 10 (Likelihood of an Attack).

In this example, the e-commerce server risk equals 1,000: the highest security risk assessment possible. The company would then structure its security risk management policies accordingly, allotting more resources to mitigating this risk.

Now, let’s compare the results of a security risk assessment in two other instances: a moderate vulnerability with an e-commerce server and a severe vulnerability with an Intranet server used to publish internal announcements:

E-commerce Server Risk = 10 (Value of the Asset) x 4 (Severity of the Vulnerability) x 4 (Likelihood of an Attack). The e-commerce Server Risk = 160, a moderate risk ranking. Intranet Server Risk = 2 (Value of the Asset) x 8 (Severity of the Vulnerability) x 6 (Likelihood of an Attack). The Intranet Server Risk = 96, a lower security risk assessment ranking.

Leave a Reply