What factors should be considered in responding to any compromise identified in either static or dynamic analysis of a system? Rank at least four factors and justify your ordering.


Four factors that should be considered in responding to any compromise identified in either static or dynamic analysis of a system are-

  1. Level of risk

The first factor would be the level of the risk. How big a threat does the compromise pose to the system? It is important to quantitatively mark the risk level using an industry (or an in-house) risk-assessment standard, scale, and range. This will give clarity on larger picture of the threat posed by the compromise.

  1. Impact of the compromise

The second factor to consider is the impact of the compromise. The impact of the compromise is gauged based on-

  • Likelihood of the compromise occurring in a real-world scenario (not the test environment)
  • The ease of achieving the compromise
  • The impact of the compromise on the system
  • Mitigation methods

The third factor to be considered are the mitigation methods.

  • Can the cause of compromise be mitigated with an off-the-shelf (COT) solution?
  • Can the risk posed by the compromise be accepted? (risk acceptance – usually for low-level risks)
  • Can the risk posed be transferred? (risk transference – by opting for insurance or an outsourced solution like cloud infrastructure)
  • Cost-Benefit-Analysis and trade-off 3

The final factor to consider before responding to the compromises thrown up by static and dynamic analysis is: CBA – the cost-benefit analysis. This is heavily dependent on the previous three factors and directs how the risk of compromise will be handled.
If C = cost of losses due to risk, and B = cost involved in handling the risk (all factors of time, money, resources, loss of reputation, short and long-term damages considered), then if C >> B or B >> C, it will determine the next course of action – either handling the risk, or accepting it.