Quantitative vs. qualitative risk analysis
Quantitative risk analysis is about assigning monetary values to risk components. It’s composed of: I. Assessing value of the asset (AV) II. Calculating single loss expectancy (SLE), where SLE = AV x EF. EF is exposure factor (expressed as percentage value) III. Calculating annualized loss expectancy (ALE), where ALE = SLE x ARO. ARO is annual rate of occurrence. The countermeasure should not cost annually more than ALE. This is basically how cost/benefit analysis works. Here you can read more about quantitative risk analysis. Qualitative risk analysis is opinion based. It uses rating values to evaluate the risk level. The DREAD model can be used to perform qualitative risk analysis. Another approach is the Common Vulnerability Scoring System (briefly described in section 5 of this article).
The DREAD model
It takes into account the following items:
Damage potential (How much are the assets affected?) Reproducibility (How easily the attack can be reproduced?) Exploitability (How easily the attack can be launched?) Affected users (What’s the number of affected users?) Discoverability (How easily the vulnerability can be found?)
The threat is rated by answering the aforementioned questions and assigning rating values for every item (high, medium, low). The rating values represent the severity and are expressed as numbers (3-high, 2-medium, 1-low). The risk rating is obtained by adding rating values for all items and comparing the results with the following table:
Case analysis with the DREAD model
An exemplary vulnerability in web applications is provided to better understand how DREAD works in practice. Please keep in mind, that DREAD is not limited to web application vulnerabilities. Cross-site request forgery in the admin panel allows us to add a new user and delete an existing user or all users. Let’s analyze the ratings for the items in the DREAD model. Let’s add all ratings to get the risk rating. The sum is 13 (risk rating: high). Explanation: The admin has to visit the attacker’s website so that the vulnerability is exploited. That’s why the reproducibility is medium. The attacker can delete all users, making the system unavailable for them. Thus the rating for affected users is high. Deleting all users doesn’t delete all data in the system. That’s why the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system, provided that added user doesn’t have read permissions on default. Thus the rating for damage potential is medium. The vulnerability can be easily discovered (no CSRF token, no authorization password) and exploited. That’s why the ratings for discoverability and exploitability are high.
Common vulnerability scoring system (CVSS) version 2.0
Let’s discuss briefly another approach for qualitative risk analysis. CVSS Version 2.0 is an open framework for scoring IT vulnerabilities. It’s composed of three metric groups: I. Base (used to describe the fundamental information about the vulnerability – its exploitability and impact). II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example the severity decreases when the official patch is available). III. Environmental (environmental issues are taken into account when severity of the vulnerability is assessed; for example the more systems affected by the vulnerability, the higher the severity). Let’s focus on base metrics, which are composed of:
Exploitability metrics: Access Vector (AV), Access Complexity (AC), Authentication (Au) Impact metrics: Confidentiality (C), Integrity (I), Availability (A)
Metric values are assigned to these metrics. Then the base score is calculated (exploitability and impact subscores are taken into account). It ranges from 0 to 10, where 10 means the highest severity. This is how CVSS Version 2.0 basically works. Here you can read more about the Common Vulnerability Scoring System.
Summary
Two types of risk analysis were introduced (quantitative, qualitative). It was presented how to perform qualitative risk analysis with the DREAD model. Finally, the Common Vulnerability Scoring System was briefly described as another approach for qualitative risk analysis.
Sources
DREAD model A Complete Guide to the Common Vulnerability Scoring System Version 2.0 Quantitative risk analysis Common Vulnerability Scoring System