Quiz Entry - updated: 2026.07.05
What are the four factor groups in OWASP Risk Rating?
Threat Agent, Vulnerability, Technical Impact, and Business Impact — likelihood comes from the first two, impact from the last two.
* OWASP Risk Rating — Likelihood (threat-agent + vulnerability factors) times Impact (technical + business factors). *
OWASP Risk Rating uses 4 x 4 factors (each scored 1-9 points):
-
Threat Agent Factors:
- Skill level
- Motive
- Opportunity
- Size (of threat agent group)
-
Vulnerability Factors:
- Ease of discovery
- Ease of exploit
- Awareness
- Intrusion detection
-
Technical Impact:
- Loss of confidentiality
- Loss of integrity
- Loss of availability
- Loss of accountability
-
Business Impact:
- Financial damage
- Reputation damage
- Non-compliance
- Privacy violation
Calculation: Average each group → Likelihood = avg(Threat Agent, Vulnerability), Impact = avg(Technical, Business) → Plot on Risk Matrix.
Key difference from DREAD: OWASP considers business impact separately from technical impact, giving a more complete picture.
See: OWASP Risk Rating Methodology
Go deeper:
OWASP Risk Rating Methodology — the Threat-Agent / Vulnerability / Technical / Business factor model; Risk = Likelihood × Impact.
NIST SP 800-30 — Guide for Conducting Risk Assessments — the formal standard OWASP names as an alternative.
Risk matrix (Wikipedia) — how a likelihood band and an impact band combine on a severity grid.