1. /
  2. Security Response/
  3. Severity Assessment

Threat Severity Assessment

The Symantec Security Response Threat Severity Assessment evaluates computer threats (viruses, worms, Trojan horses and macros) and classifies them into clearly defined categories of risk for computer users. There are three major threat components that are analyzed to determine the severity rating:
  • The extent to which a malicious program is "in-the-wild".
  • The damage that a malicious program causes if encountered.
  • The rate at which a malicious program spreads.
Based on an evaluation of its sub-components, each category is rated as High, Medium, or Low risk. The overall severity measure, which is drawn from various combinations of risks, falls into one of 5 categories, with Category 5 (or CAT 5) being the most severe, and Category 1 (or CAT 1) the least severe. Section 1 describes each threat component. Section 2 lists the combinations of components that result in the overall risk assessment measure.

Section 1: Threat Metrics

1.1 Wild

The wild component measures the extent to which a virus is already spreading among computer users. Information in this metric includes:
  • Number of independent sites infected
  • Number of computers infected
  • Geographic distribution of infection
  • Ability of current technology to combat threat
  • Virus complexity
  • References

Classification guidelines:

  • High: 1,000 machines or 10 infected sites or 5 countries
  • Medium: 50-999 machines or 2 infected sites/countries (i.e., WildList)
  • Low: Anything else

1.2 Damage

The damage component measures the amount of damage that a given infection could inflict. Information in this metric includes:
  • Triggered events
  • Deleted/modified files
  • Release of confidential information
  • Performance degradation
  • Buggy routines that cause unintended loss of productivity
  • Compromised security settings
  • Ease of fixing damage

Classification guidelines:

  • High: File destruction/modification, very high server traffic, large-scale non-repairable damage, large security breaches, destructive triggers
  • Medium: Non-critical settings altered, buggy routines, easily repairable damage, non-destructive triggers
  • Low: No intentionally destructive behavior

1.3. Distribution

The distribution component measures how quickly a program spreads itself. Information in this metric includes:
  • Large-scale email attack (worm)
  • Executable code attack (virus)
  • spreads only through download or copy (Trojan horse)
  • Network drive infection capability
  • Difficulty to remove/repair

Classification guidelines:

  • High: Worms, network-aware executables, uncontainable threats (due to high virus complexity or low AV ability to combat)
  • Medium: Most viruses
  • spreads only through download or copy (Trojan horse)
  • Low: Most Trojan horses