At Priosec we understand that a great consulting team has to offer willingness and time to understand what is important to you, understanding your business, your future thoughts with respect to
technology and your direction as a company. These factors along with technical proficiency will assist us in focusing on the areas of importance. This also allows us to interpret and prioritize
our findings in terms of business risk. Understanding how your technical teams work with respect to corporate policies and guidelines further assists us in delivering to you a report that
contains issues and risk ratings that relate directly to your business practices and objectives.
Providing risk classifications of identified issues related to business goals, drivers and differentiators is our number one priority when delivering your final report.
Risk classifications assess vulnerabilities as high, medium, or low risk based on technical and business severity qualifiers and related probability indicators, as explained below:
- Business severity measurements relate to the nature of an organization's core business drivers. For example, if an organization's Website were responsible for 100% of revenue
vulnerability on this server would receive a much higher rating then if it functioned merely as a marketing tool.
- Technical severity pertains to the destruction an attacker might cause in exploiting identified vulnerabilities.
- Business probability takes into account industry type. For example, certain types of focussed attacks are more likely to be launched government agencies than against a marketing
firm. An organization's prominence within its particular industry can also affect business probability. A world leader in credit card distribution, for instance, is more likely to be targeted than a
similarly oriented startup company.
- Technical probability is based on the complexity involved in both addressing vulnerability issues and the likelihood that they would be exploited.
By analyzing vulnerabilities in this manor we effectively assist clients in prioritizing corrective measures. Since no two clients share identical technical and business variables, superficially
similar vulnerabilities are seldom assessed in the same manner. Resolution strategies are always specific to the client's organizational concerns.