Skip to main content

Risk Analysis and Evaluation for Software: Likelihood and Impact

Okay, you've used threat modeling and vulnerability identification to find potential security weak spots in your app, game, or software. Now what? The Cyber Resilience Act (CRA) expects you to assess these risks (Article 13, Paragraph 2). This means figuring out two key things for each identified risk: how likely is it to happen, and what’s the damage if it does?

Gauging Likelihood for Software

For your specific product, consider:

  • Attacker Skill: Does exploiting this vulnerability require a highly skilled attacker, or could a script kiddie do it? A vulnerability in your game's anti-cheat might require more skill than one in a simple web form in your companion app.
  • Exposure: Is the vulnerable part of your software easily accessible (e.g., a login page) or buried deep?
  • Discoverability: How easy is it for someone to find this weakness?
  • Existing Controls: Do you already have some mitigations in place that reduce the chance of exploitation?

You don't need a crystal ball. Think in simple terms: High, Medium, Low likelihood.

Assessing Impact on Your Product

If the risk materializes, what’s the fallout?

  • Data Breach (Confidentiality): Loss of user data from your app? (Annex I, Part I, (e))
  • Data Corruption (Integrity): Game save files getting wiped? Financial data in your software tampered with? (Annex I, Part I, (f))
  • Service Outage (Availability): Your game's multiplayer servers go down? Your app becomes unusable? (Annex I, Part I, (h))
  • Reputational Damage: Users lose trust if your app is hacked.
  • Financial Loss: Refunds for a faulty game, costs of fixing a breach.
  • Non-Compliance: Fines under CRA or other regulations like GDPR.

Again, High, Medium, Low impact often suffices for many software products.

The Risk Matrix

Combine likelihood and impact (e.g., using a simple 3x3 matrix) to categorize your risks. A High likelihood/High impact risk (e.g., an easy way to steal all user credentials from your app's backend) needs urgent attention. A Low likelihood/Low impact risk (e.g., a minor visual glitch if someone inputs a very specific unexpected character string) can probably wait.

Key Takeway

Risk analysis for your software involves estimating the likelihood of a threat exploiting a vulnerability and the potential impact. This helps you prioritize which security issues to fix first, aligning with the CRA's risk-based approach.