Error in the Risk Rating Methodology page

[filippobuletto]

In the "Threat Agent Factors" chapter the "Skill Level" ratings are inverted:

Expected:

No technical skills (9), some technical skills (6), advanced computer user (5), network and programming skills (3), security penetration skills (1)

Presented:

No technical skills (1), some technical skills (3), advanced computer user (5), network and programming skills (6), security penetration skills (9)

[kingthorin]

No they’re fine a skilled attacker is of greater risk.

[filippobuletto]

Sorry for the insistence, but this is not a risk level, in fact the risk is a value calculated at the end of the methodology.

Here it is a matter of estimating the probability of success of the attack based on the knowledge required of the group of people attacking the system, so if the level required to attack the system is higher (skills that few people have) the probability of an attack is lower. (hence level 1 for example) and vice-versa.

Or, something absolutely not to be excluded, I have misinterpreted it and therefore the element should still be reformulated to make it more explicit and less subject to interpretation!

Anyway thanks @kingthorin !

See also:

• https://owasp-risk-rating.com/
• https://security-net.biz/files/owaspriskcalc.html

[kingthorin]

You’d have to look through the page history on wiki.OWASP.org and the testing mailing list, this has always been contentious.

[kingthorin]

We’ll remove this individual page and simply put in a redirect to the Risk Assessment Framework. It’s an active project and a more reasonable resource for the topic.