14 ◾
Ethical Hacking and Penetration Testing Guide Risk Assessment Risk assessment as defined before is the analysis part of the report. It is very crucial for the
customer because they would want to know the intensity of the damage the vulnerabilities are
likely to cause; similarly, the security executives would also want to know how their team is
performing.
Risk Assessment Matrix When we talk about risk assessment analysis in terms of a penetration test, we compare the “likeli-
hood of the occurring” and the “impact caused by the occurring.”
The following is a “hazard risk assessment matrix” derived from MIL-STD-882B; it’s an excel-
lent method for demonstrating risk to the customer. In the following matrix the “frequency of
occurrence,” that is, the likelihood of how often the vulnerability is occurring, is compared with
the four hazard categories “catastrophic,” “critical,” “serious,” “minor,” and this is something you
should definitely include in your penetration testing report.
Hazard risk assessment matrix
Hazard Categories
1
Frequency of Occurrence
(A) Frequent
(B) Probable
(C) Occasional
(D) Remote
(E) Improbable
1A
2A
3A
4A
1E
Unacceptable
High
Medium
Low
2E
3E
4E
1D
2D
3D
4D
1C
2C
3C
4C
1B
2B
3B
4B
Catastrophic
Critical
Serious
Minor
2
3
4
(From http://www.sms-ink.com.)
After including the risk assessment matrix, you should write a line or two describing the
total risk.
Based upon the comparison of the vulnerabilities that were determined, their likeli-
hood and their impact we conclude the overall risk is high and the risk percentage was
determined to be 82%.