Skip to content

Blending Vulnerability Assessments with OWASP Risk Metrics ✳️

Security Engineers & leaders consider vulnerability assessments with OWASP risk metrics proactively for several reasons. This approach provides a structured and quantifiable method to identify, assess, and prioritize vulnerabilities in software and web applications. By evaluating both the likelihood of a threat being exploited and the potential impact on the organization, OWASP risk metrics enable businesses & teams to focus their efforts where they are most needed, enhancing their overall security posture.

The use of OWASP risk metrics helps organizations to not only uncover and understand the vulnerabilities within their systems but also to allocate their resources more efficiently, ensuring that the most critical vulnerabilities are addressed first. This methodology supports a more strategic approach to cybersecurity, where decisions are driven by a comprehensive analysis of the threat landscape and the specific risks an organization faces

Why Risk Modeling for organisations?

  • Customized Risk Assessment: Helps security engineers and leaders to identify risks tied to vulnerabilities based on specific criteria.
  • Prioritized Vulnerability Management: Guides us in ranking vulnerabilities to focus on effective controls and countermeasures.
  • Structured Evaluation Framework: A systematic way to assess application vulnerabilities across development, audit, and business perspectives.
  • Business Risk Translation: Enables the conversion of technical vulnerabilities into understandable business risks, facilitating informed decision-making.

Key Factors :

  • Vulnerability
  • Application usage in business context
  • Application architecture and data flow
  • Application’s Information Security requirements
  • The threat vector (type of attacker) we are defending against:
    • Curious Attacker
    • Script Kiddies
    • OWASP
    • Motivated Attacker
    • Organized Crime

Risk = Likelihood * Impact

Likelihood is measured by:

Threat Agent factors –

  • Skill Level – How technically skilled is this group of threat agents? No technical skills (1), some technical skills (3), advanced computer user (5), network and programming skills (6), security penetration skills (9)
  • Motive – How motivated is this group of threat agents to find and exploit this vulnerability? Low or no reward (1), possible reward (4), high reward (9)
  • Opportunity – What resources and opportunities are required for this group of threat agents to find and exploit this vulnerability? Full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9)
  • Size – How large is this group of threat agents? Developers (2), system administrators (2), intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

Vulnerability factors –

  • Ease of Discovery – How easy is it for this group of threat agents to discover this vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools available (9)
  • Ease of Exploit – How easy is it for this group of threat agents to actually exploit this vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)
  • Awareness – How well known is this vulnerability to this group of threat agents? Unknown (1), hidden (4), obvious (6), public knowledge (9)
  • Intrusion Detection – How likely is an exploit to be detected? Active detection in application (1), logged and reviewed (3), logged without review (8), not logged (9)

Impact is measured by:

Technical Impact –

  • Loss of Confidentiality – How much data could be disclosed and how sensitive is it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6), extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all data disclosed (9)
  • Loss of Integrity – How much data could be corrupted and how damaged is it? Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive slightly corrupt data (5), extensive seriously corrupt data (7), all data totally corrupt (9)
  • Loss of Availability – How much service could be lost and how vital is it? Minimal secondary services interrupted (1), minimal primary services interrupted (5), extensive secondary services interrupted (5), extensive primary services interrupted (7), all services completely lost (9)
  • Loss of Accountability – Are the threat agents’ actions traceable to an individual? Fully traceable (1), possibly traceable (7), completely anonymous (9)

Business Impact –

  • Financial damage – How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9)
  • Reputation damage – Would an exploit result in reputation damage that would harm the business? Minimal damage (1), Loss of major accounts (4), loss of goodwill (5), brand damage (9)
  • Non-compliance – How much exposure does non-compliance introduce? Minor violation (2), clear violation (5), high profile violation (7)
  • Privacy violation – How much personally identifiable information could be disclosed? One individual (3), hundreds of people (5), thousands of people (7), millions of people (9)


0 to <3LOW
3 to <6MEDIUM
6 to 9HIGH
Likelihood and Impact Levels

Likelihood Risk Matrix –

Threat Agent Factors Vulnerability Factors
Skill5Ease of discovery3
Motive2Ease of exploit6
Size1Intrusion Detection2
Overall Threat Agent 4.375 (Medium)
Overall Vulnerability 4.375 (Medium)

Impact Risk Matrix –

Technical Impact Business Impact
Loss of confidentiality9Financial damage1
Loss of integrity7Reputation damage2
Loss of availability5Non-compliance1
Loss of accountability8Privacy violation5
Overall technical impact 7.25 (HIGH)
Overall business impact 2.25 (LOW)
Overall Risk Severity
ImpactLOWNote / InfomativeLowMedium

Auto Risk Calculator Tool –


  • High: Represents a severe level of risk that could lead to significant damage or loss, warranting immediate attention and action to mitigate.
  • Medium: Indicates a moderate level of risk, potentially causing noticeable disruption or loss, and should be addressed in a timely manner to prevent escalation.
  • Low: Corresponds to a minor level of risk with limited impact, which may require action but is of lower priority compared to higher risks.
  • Note/Informative: Used to denote observations or findings that do not pose a direct risk but are important for informational purposes or future consideration.

Moreover, adopting OWASP risk metrics aids in compliance with various regulatory requirements and industry standards by demonstrating a commitment to rigorous, standardized security practices.