Four factors that should be considered in responding to any compromise identified in either static or dynamic analysis of a system are-
- Level of risk
The first factor would be the level of the risk. How big a threat does the compromise pose to the system? It is important to quantitatively mark the risk level using an industry (or an in-house) risk-assessment standard, scale, and range. This will give clarity on larger picture of the threat posed by the compromise.
- Impact of the compromise
The second factor to consider is the impact of the compromise. The impact of the compromise is gauged based on-
- Likelihood of the compromise occurring in a real-world scenario (not the test environment)
- The ease of achieving the compromise
- The impact of the compromise on the system
- Mitigation methods
The third factor to be considered are the mitigation methods.
- Can the cause of compromise be mitigated with an off-the-shelf (COT) solution?
- Can the risk posed by the compromise be accepted? (risk acceptance – usually for low-level risks)
- Can the risk posed be transferred? (risk transference – by opting for insurance or an outsourced solution like cloud infrastructure)
- Cost-Benefit-Analysis and trade-off 3
The
final factor to consider before responding to the compromises thrown up by
static and dynamic analysis is: CBA – the cost-benefit analysis. This is
heavily dependent on the previous three factors and directs how the risk of
compromise will be handled.
If C = cost of losses due to risk, and B = cost involved in handling the risk
(all factors of time, money, resources, loss of reputation, short and long-term
damages considered), then if C >> B or B >> C, it will determine
the next course of action – either handling the risk, or accepting it.