The attributes of a check that used to calculate the risk are known as the risk attributes.
A check has the following risk attributes:
This attribute measures the impact to confidentiality if a specified check fails.
Confidentiality is the act of limiting the access and disclosure of information to only authorized users. The impact of unauthorized disclosure of confidential information can lead to security risk, loss of public confidence, or legal action against the organization.
This attribute can be assigned the following values:
This attribute measures the impact to integrity if a specified check fails.
Integrity refers to the genuineness of the information. Integrity dictates that information must be protected from improper modification. Integrity is lost if unauthorized changes are made to the data by either intentional or accidental acts. Continuous use of corrupted data can result in inaccuracy, fraud, or erroneous decisions.
This attribute can be assigned the following values:
This attribute measures the impact to availability if a specified check fails.
Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space affect the availability of a system. If a mission-critical asset is unavailable to its end users, the mission of the organization may be affected.
This attribute can be assigned the following values:
This attribute reflects how vulnerability is exploited in a system.
According to the type of access that is required for the attacker to exploit the vulnerability, this attribute can be assigned the following values:
This attribute measures the complexity of the attack that is required to exploit the vulnerability in a system.
The possible values for this attribute are as follows:
This attribute measures the number of times an attacker must authenticate to a target for exploiting the vulnerability. This attribute does not measure the strength or complexity of the authentication process. Authentication gauges only the fact whether an attacker is required to provide credentials before exploiting the vulnerability.
The possible values for this attribute are as follows:
More Information