Penetration Testing mailing list archives

Re: Security Grade

From: lauren.malhoit () tylertech com
Date: 7 Dec 2007 13:03:03 -0000

I think it's all pretty relative.  Microsoft recommends doing either a qualitative risk analysis or quantitative (or 
both).  In one case you assign the odds of the risk of a specific attack a number (1-10) and assign the severity of the 
risk a number (ie will it cause business to shut down or something).  Then you multiply those two numbers and it gives 
you a risk assessment.  In the other case, you take the actual money (both directly and indirectly) that might be lost 
and multiply that times however many times that would probably happen in a year.  

It's a little more scientific than that (although not much), but you get the gist.   

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Re: Security Grade, (continued)
- - Re: Security Grade Ed Fuller (Dec 12)
- Re: Security Grade dave-san (Dec 10)
- RE: Security Grade Malhoit, Lauren (Dec 10)
- Re: Security Grade Benjamin Tomhave (Dec 10)
- Re: Security Grade Eddie Block (Dec 10)
  - Re: Security Grade Francois Larouche (Dec 12)
    - Re: Security Grade Eddie Block (Dec 12)
    - Re: Security Grade Francois Larouche (Dec 13)
    - Re: Security Grade Pete Herzog (Dec 13)
  - Re: Security Grade Stephen Strange (Dec 12)
- Re: Security Grade lauren . malhoit (Dec 10)
- Re: Re: Security Grade cwright (Dec 12)