The list of items that are needed in order to assess the risk posed by the vulnerability to the corp network.
There are three factors for assessing the Risk –
- Likelyhood – the threat might realize in the company network
- Consequence – impact of the realized threat on the individual compromised/vulnerable host
- Impact – Overall impact of the realized threat on the company in terms of $$
- Is the code/exploit available, published?
- Remotely exploitable?
- User interaction Required?
- Which version of Application is vulnerable?
- Percentage of deployment in the company ?
- What is the result of the vulnerability?
- Does it run with system privilege or logged on user privilege?