Risk Assessment

Risk assessment as defined before is the analysis part of the report. It is very crucial for the
customer because they would want to know the intensity of the damage the vulnerabilities are
likely to cause; similarly, the security executives would also want to know how their team is
performing.


Risk Assessment Matrix
When we talk about risk assessment analysis in terms of a penetration test, we compare the “likelihood of the occurring” and the “impact caused by the occurring.”
The following is a “hazard risk assessment matrix” derived from MIL-STD-882B; it’s an excellent method for demonstrating risk to the customer. In the following matrix the “frequency of
occurrence,” that is, the likelihood of how often the vulnerability is occurring, is compared with
the four hazard categories “catastrophic,” “critical,” “serious,” “minor,” and this is something you
should definitely include in your penetration testing report.

After including the risk assessment matrix, you should write a line or two describing the
total risk.
Based upon the comparison of the vulnerabilities that were determined, their likelihood and their impact we conclude the overall risk is high and the risk percentage was
determined to be 82%.

 
Methodology
We have discussed a wide variety of methodologies and standards of penetration testing, such as
OSSTMM, NIST, and OWASP. I would also like to include the methodology that was followed for conducting the penetration test; though its inclusion in the report is optional, it could add
great value to your penetration report. In a scenario where you have been asked to follow a certain
standard, talking about the methodology and its steps is a good idea.
The following is a screenshot from one of our penetration testing reports where the NIST
methodology was followed in order to conduct the penetration test. Notice that we include the
flowchart on how the methodology works and explain each step precisely.

 

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,