Reply to post: The logical next step is the two-dimensional risk rating approach

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

sbt
Boffin

The logical next step is the two-dimensional risk rating approach

This is already well established; risks are assessed both on likelihood and consequence. So this could capture how vulnerable the issue makes a system (e.g. ease of exploit, local access required, etc.) as well as the severity or harm if exploited.

It's a reasonable criticism that 1-10 over-simplifies, but you don't want to over-complicate things, either; that way lies analysis paralysis.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon