![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
big daddy fatsacks
2[H]4U
- Joined
- Aug 10, 2001
- Messages
- 2,312
i have a question about doing a risk assessment as outlined by NIST in SP 800-30. there is a 3x3 risk level matrix they use to calculcate risk-level. my understanding is that you ID vulnerabilities and threats-sources and then use the 3x3 matrix to calculcate the risk-level of that particular threat/vulnerability pair. this helps you prioritize which should be fixed first.
someone else i'm working with says that you tally up all your vulnerabilties, which you score as low, medium, or high based on the criticality levels in ISS scanner or whatever. then you plug those numbers into the 3x3 matrix and calculate an overall risk level for the whole system. so if you have 50 low impact vulns that have a medium likelihood and 200 high impact vulnerabilities that have a medium likelihood rating then you would end up with:
50 x 5 = 250
200 x 50 = 10000
250 + 10000 = 10250
i say when you score a 10250 on a scale that only goes from 1 to 100 you need to re-evaluate the way you're doing things, but they're stubborn. can anyone provide some input here?
someone else i'm working with says that you tally up all your vulnerabilties, which you score as low, medium, or high based on the criticality levels in ISS scanner or whatever. then you plug those numbers into the 3x3 matrix and calculate an overall risk level for the whole system. so if you have 50 low impact vulns that have a medium likelihood and 200 high impact vulnerabilities that have a medium likelihood rating then you would end up with:
50 x 5 = 250
200 x 50 = 10000
250 + 10000 = 10250
i say when you score a 10250 on a scale that only goes from 1 to 100 you need to re-evaluate the way you're doing things, but they're stubborn. can anyone provide some input here?