Below is a table we can calculate the P = Probability with.
So for the auditor to estimate the probability he has to consider several factors,
a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.
b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.
c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.
d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability
e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.
f) Environmental, political, weather also affects the probability variations
So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.
So for the auditor to estimate the severity he has to consider several factors,
a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.
b) Degree of impairment of the assets performance.
c) The impairment of the quality of services, systems and information.
Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.
So now we can multiply the values to calculate the PSR of an asset after we have defined them.
1, 2, 3, 4, 5, 6
8, 9, 10, 12, 15, 16
18, 20, 24, 25, 27, 30
32, 36, 40, 45, 48, 50
60, 64, 75, 80, 100, 125