Re: Risk metrics

[Pete Herzog <lists () isecom org>]

Marc,

> has anybody else have a look on the RAV metric for OSSTMM 3.0 ?
> I just did - and in my opinion its horrifying.
> anything which is more complicated then multiplaying more than
> 3 numbers is too complicated to use in a report to a client.

You actually need only provide 1 number to the client -- the RAV.  If
you want to break it down into each part, then yes, it's 4 numbers which
might start getting a little heavy for your clients.

> it is already difficult enough to explain them what their
> problems are - this calculation sheet is a killer for any
> consultant.

I think you just need to learn it first.  It's actually pretty simple to
fill out the form and once you read through an example you'll figure it
so as well.  I know it has helped early-adopter consultants better
explain gaps in security or wasted money on overly redundant security
measures to their clients.

Sincerely,
-pete.



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------