what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Wednesday, August 10, 2011

Calculating PSR and the Reason to

So what is PSR, what does it stand for? In short P means Probability, S is Severity and R is relevance. This metric looks at the probability of the vulnerabilities found and how they can be exploited, with ease or with loads of trial and error. Its also looks at the severity of the impact they will cause to the organization in case exploited and then the relevance of the asset to the organization.

Below is a table we can calculate the P = Probability with.


The likelihood that the risk will take place:

5 - Very High

Is almost certain (P > 95%)

4 - High

Is very likely (65% < P ≤ 95%)

3 - Medium

Is likely (35% < P ≤ 65%)

2 - Low

Is not very likely (5% < P ≤ 35%)

1 - Very Low

Is unlikely (P ≤ 5%)

So for the auditor to estimate the probability he has to consider several factors,

a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.
b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.
c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.
d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability
e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.
f) Environmental, political, weather also affects the probability variations

So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.


The risk taking place will cause:

5 - Very High

Major impairment

4 - High

Very severe impairment

3 - Medium

Severe impairment

2 - Low

Less severe impairment

1 - Very Low

Almost no impairment

So for the auditor to estimate the severity he has to consider several factors,
a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.
b) Degree of impairment of the assets performance.
c) The impairment of the quality of services, systems and information.

Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.


The asset’s impairment:

5 - Very High

May affect the entire organization and losses will be extremely high

4 - High

May affect one or more of the organization’s businesses and losses will be high

3 - Medium

May affect a part of the organization’s business and losses will be considerable

2 - Low

May affect a small and localized part of the organization and losses will be low

1 - Very Low

May affect a very small and localized part of the organization’s business and losses will be minimal

So now we can multiply the values to calculate the PSR of an asset after we have defined them.

Risk Level

Possible PSR Values

Very Low

1, 2, 3, 4, 5, 6


8, 9, 10, 12, 15, 16


18, 20, 24, 25, 27, 30


32, 36, 40, 45, 48, 50

Very High

60, 64, 75, 80, 100, 125

So all the PSR calculation sum up to 125.


1 comment:

TMourao said...

Unfortunately, I have to disagree with you in some of those brackets, especially in the PSR table.
Look for what I mean: If you assume that all those metrics P, S and R have a scale from 1 to 5 where 1 is “Very Low” and 5 is “Very High” and the PSR is the product of this calculation, calculate that PSR:

P = 4 (High)
S = 4 (High)
R = 4 (High)
4 * 4 * 4 = 64

If you look back to the PSR's table, you will find that 64 is “Very High”, not "High" as it's suppose to be.

Think about that.