...
Each rule and recommendation has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [IEC 60812]. Three values are assigned for each rule on a scale of 1 to 3 for severity, likelihood, and remediation cost.
Severity—How serious are the consequences of the rule being ignored?
Value | Meaning | Examples of Vulnerability |
|---|---|---|
1 | Low | Denial-of-service attack, abnormal termination |
2 | Medium | Data integrity violation, unintentional information disclosure |
3 | High | Run arbitrary code |
Likelihood—How likely is it that a flaw introduced by ignoring the rule can lead to an exploitable vulnerability?
Value | Meaning |
|---|---|
1 | Unlikely |
2 | Probable |
3 | Likely |
Remediation Cost—How expensive is it to comply with the rule?
Value | Meaning | Detection | Correction |
|---|---|---|---|
1 | High | Manual | Manual |
2 | Medium | Automatic | Manual |
3 | Low | Automatic | Automatic |
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. The products range from 1 to 27, although only the following 10 distinct values are possible: 1, 2, 3, 4, 6, 8, 9, 12, 18, and 27. Rules and recommendations with a priority in the range of 1 to 4 are Level 3 rules, 6 to 9 are Level 2, and 12 to 27 are Level 1. The following are possible interpretations of the priorities and levels.
Priorities and Levels
Level | Priorities | Possible Interpretation |
|---|---|---|
L1 | 12, 18, 27 | High severity, likely, inexpensive to repair |
L2 | 6, 8, 9 | Medium severity, probable, medium cost to repair |
L3 | 1, 2, 3, 4 | Low severity, unlikely, expensive to repair |
Specific projects may begin remediation by implementing all rules at a particular level before proceeding to the lower priority rules, as shown in the following illustration:
...