Likelihood factors
Threat Agent Factors
Skills required
Not Applicable [0] Security penetration skills [1] Network and programmaing skills [3] Advanced computer user [4] Some technical skills [6] No technical skills [9]
Motive
Not Applicable [0] Low or no reward [1] Possible reward [4] High reward [9]
Opportunity
Full access or expensive resources required [0] Special access or resources required [4] Some access or resources required [7] No access or resources required [9]
Population Size
Not Applicable [0] System Administrators [2] Intranet Users [4] Partners [5] Authenticated users [6] Anonymous Internet users [9]
Vulnerability Factors
Easy of Discovery
Not Applicable [0] Practically impossible [1] Difficult [3] Easy [7] Automated tools available [9]
Ease of Exploit
Not Applicable [0] Theoretical [1] Difficult [3] Easy [5] Automated tools available [9]
Awareness
Not Applicable [0] Unknown [1] Hidden [4] Obvious [6] Public knowledge [9]
Intrusion Detection
Not Applicable [0] Active detection in application [1] Logged and reviewed [3] Logged without review [8] Not logged [9]
Score
Impact factors
Technical Impact Factors
Loss of confidentiality
Not Applicable [0] Minimal non-sensitive data disclosed [2] Extensive non-sensitive data disclosed [6] Extensive critical data disclosed [7] All data disclosed [9]
Loss of Integrity
Not Applicable [0] Minimal slightly corrupt data [1] Minimal seriously corrupt data [3] Extensive slightly corrupt data [5] Extensive seriously corrupt data [7] All data totally corrupt [9]
Loss of Availability
Not Applicable [0] Minimal secondary services interrupted [1] Minimal primary services interrupted [5] Extensive primary services interrupted [7] All services completely lost [9]
Loss of Accountability
Not Applicable [0] Attack fully traceable to individual [1] Attack possibly traceable to individual [7] Attack completely anonymous [9]
Business Impact Factors
Financial damage
Not Applicable [0] Damage costs less than to fix the issue [1] Minor effect on annual profit [3] Significant effect on annual profit [7] Backruptcy [9]
Reputation damage
Not Applicable [0] Minimal damage [1] Loss of major accounts [4] Loss of goodwill [5] Brand damage [9]
Non-Compliance
Not Applicable [0] Minor violation [2] Clear violation [5] High profile violation [7]
Privacy violation
Not Applicable [0] One individual [3] Hundreds of people [5] Thousands of people [7] Millions of people [9]
Score