Cheater Case

here is to estimate the likelihood of a successful attack by the cheater. Use the worst-case cheater. o Skill level: how technically skilled is the threat agent (cheater)? Security penetration skills (9), network and programming skills (6), advanced computer use (5), some technical skills, no technical skills (1) o Motive: How motivated is the cheater to find and exploit the vulnerability? Low or no reward (1), possible reward (4), high reward (9) o Opportunity: what resources and opportunities are required for the cheater to find and exploit vulnerability? Full access or expensive resources required (0), special access or resources required (4), some access or resources required (7), no access or resources required (9) o Size: How large is
Fully traceable (1), possibly traceable (5), completely anonymous (9)
Business Impact Factors: The business impact stems from the technical impact, but requires a deep understanding of what is important to the institution running exams. The business risk is what justifies investment in fixing security problems. Many institutions have an asset classification guide and/or a business impact reference to help formalize what is important to their business. These standards can help to focus on what's truly important for security. If standards aren't available, then it is necessary to talk with people who understand the business to get what is important. The factors below are common areas for many business. o Financial damage: How much financial damage will result from an exploit? Less than the cost to fix the vulnerability (1), minor effect on annual profit (3), significant effect on annual profit (7), bankruptcy (9) o Reputation damage: Would an exploit result in reputation damage that would harm the business? Minimal damage (1), loss of goodwill (5), brand damage (9) o Non-compliance: How much exposure does non-compliance introduce? Minor violation (1), clear violation (5), high profile violation