LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What are the four factor groups in OWASP Risk Rating?

Threat Agent, Vulnerability, Technical Impact, and Business Impact — likelihood comes from the first two, impact from the last two.

Risk = Likelihood (Threat Agent + Vulnerability) × Impact (Technical + Business).

* OWASP Risk Rating — Likelihood (threat-agent + vulnerability factors) times Impact (technical + business factors). *

OWASP Risk Rating uses 4 x 4 factors (each scored 1-9 points):

  1. Threat Agent Factors:

    • Skill level
    • Motive
    • Opportunity
    • Size (of threat agent group)
  2. Vulnerability Factors:

    • Ease of discovery
    • Ease of exploit
    • Awareness
    • Intrusion detection
  3. Technical Impact:

    • Loss of confidentiality
    • Loss of integrity
    • Loss of availability
    • Loss of accountability
  4. Business Impact:

    • Financial damage
    • Reputation damage
    • Non-compliance
    • Privacy violation

Calculation: Average each group → Likelihood = avg(Threat Agent, Vulnerability), Impact = avg(Technical, Business) → Plot on Risk Matrix.

Key difference from DREAD: OWASP considers business impact separately from technical impact, giving a more complete picture.

See: OWASP Risk Rating Methodology

Go deeper:

From Quiz: SPRG / Mitigation and Risk Analysis | Updated: Jul 05, 2026