lreading
commented
2 years ago @jgadsden - Can this be closed in favor of #197?
Closed jgadsden closed 2 years ago
lreading
commented
2 years ago @jgadsden - Can this be closed in favor of #197?
jgadsden
commented
2 years ago Yes, sure, this can be closed
This issue has been migrated from : https://github.com/mike-goodwin/owasp-threat-dragon-core/issues/77 and was opened by @dschadt :
This is probably the wrong place to ask questions like this but I didn't find another place.
Severity can be rated in 3 levels. It looks very similar to TMT priority. What exactly is the practical use of severity? From a classical risk oriented approach a priority is similar to a resulting risk with different levels before and after mitigation. Before mitigation it helps to prioritize activities applying countermeasures. Risk is defined as a product of impact and likelihood if you want to simplify. Impact in my opinion is simply characterized by sensitivity of the data processed in the data flow and broken SLA. Both are different (business) impacts to be referenced to the character of the STRIDE attack vector. The other dimension likelihood is just a guess how easy it is to materialize the threat. If possible I try to setup likelihood and impact based on the companies risk definition and throw out the risk level as a result. Using priority TMT had the "problem" that it was setup by guessing not having a basis with risk assessment. Therefore it produced no real value for me. I changed it to calculate risks in a spreadsheet instead of prioritizing within TMT. It would be helpful to know what the reason is for implementing severity this way.