The Symantec Security Response Threat Severity Assessment evaluates computer threats (viruses, worms, Trojan horses and macros) and
classifies them into clearly defined categories of risk for computer
users. There are three major threat components that are analyzed to
determine the severity rating:
- The extent to which a malicious program is "in-the-wild".
- The damage that a malicious program causes if encountered.
- The rate at which a malicious program spreads.
Based on an evaluation of its sub-components, each category is
rated as High, Medium, or Low risk. The overall severity measure, which is
drawn from various combinations of risks, falls into one of 5 categories,
with Category 5 (or CAT 5) being the most severe, and Category 1 (or
CAT 1) the least severe. Section 1 describes each threat component.
Section 2 lists the combinations of components that result in the overall
risk assessment measure.
Section 1: Threat Metrics
1.1 Wild
The wild component measures the extent to which a virus is already
spreading among computer users. Information in this metric includes:
- Number of independent sites infected
- Number of computers infected
- Geographic distribution of infection
- Ability of current technology to combat threat
- Virus complexity
- References
Classification guidelines:
- High: 1,000 machines or 10 infected sites or 5 countries
- Medium: 50-999 machines or 2 infected sites/countries (i.e.,
WildList)
- Low: Anything else
1.2 Damage
The damage component measures the amount of damage that a given
infection could inflict. Information in this metric includes:
- Triggered events
- Deleted/modified files
- Release of confidential information
- Performance degradation
- Buggy routines that cause unintended loss of productivity
- Compromised security settings
- Ease of fixing damage
Classification guidelines:
- High: File destruction/modification, very high server traffic,
large-scale non-repairable damage, large security breaches, destructive
triggers
- Medium: Non-critical settings altered, buggy routines, easily
repairable damage, non-destructive triggers
- Low: No intentionally destructive behavior
1.3. Distribution
The distribution component measures how quickly a program spreads itself.
Information in this metric includes:
- Large-scale email attack (worm)
- Executable code attack (virus)
- spreads only through download or copy (Trojan horse)
- Network drive infection capability
- Difficulty to remove/repair
Classification guidelines:
- High: Worms, network-aware executables, uncontainable threats (due
to high virus complexity or low AV ability to combat)
- Medium: Most viruses
- spreads only through download or copy (Trojan horse)
- Low: Most Trojan horses
