Each guideline has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [[IEC 60812]]. Three values are assigned for each guideline on a scale of 1 to 3 for
- severity - how serious are the consequences of the guideine being ignored
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation)
- likelihood - how likely is it that a flaw introduced by ignoring the guideline could lead to an exploitable vulnerability
1 = unlikely
2 = probable
3 = likely
- remediation cost - how expensive is it to comply with the guideline
1 = high (manual detection and correction)
2 = medium (automatic detection and manual correction)
3 = low (automatic detection and correction)
The three values are then multiplied together for each guideline. This product provides a measure that can be used in prioritizing the application of the guidelines. These products range from 1 to 27. Guidelines and recommendations with a priority in the range of 1-4 are level 3 guidelines, 6-9 are level 2, and 12-27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all guidelines in a level, as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
The metric is designed primarily for remediation projects. It is assumed that new development efforts will conform with the entire standard.