Ranking Threats by Decreasing Risk

For each asset in your Commerce Server installation, prioritize possible threats by determining the following:

  • What is the chance of an attack occurring? That is, how much effort/cost/time would be required to mount the attack? 1 = high chance, 10 = low chance
  • What is the cost or damage to your site if an attack occurs? 1 = little damage, 10 = massive damage
  • Risk = Damage if an attack occurs / Chance of attack. 1 = little risk, 10 = massive risk

To reduce the risk to your Commerce Server installation, address the high-risk items first. When you do this, keep in mind the industry statistics in the following table. They show the current vulnerability distribution by cause of seven major threats.

Vulnerability Percentage of attacks
Restrictions that can be bypassed 20
Argument checking 19
Unchecked buffer 18
Incorrect control marking 10
Incorrect permissions 9
Architectural error 6
Other implementation error 18

See Also

Identifying Techniques that Mitigate Threats

Copyright © 2005 Microsoft Corporation.
All rights reserved.