It's good to be reminded of the need to perform a thorough assessment before reporting security issues as being high risk. Here are some questions to ask
- What outcomes are you most concerned about? For instance, compromised private data, or intellectual property theft are examples of "bad outcomes."
- What vulnerability has been identified? For instance, is it an application bug or maybe it's an errant back-up process.
- How do you assess the level of threat. In other words, what is the likelihood that the particular vulnerability will be targeted with the purpose of achivieving the described bad outcome?
- How easy would the vulnerability be to exploit if somebody were suitably motivated and willing to do so?
- What would it cost the organisation if the bad outcome occured? Consider costs to reputation, operational costs and bottom line revenue.
The assessment doesn't need to be mathematically precise, there's little enough emperical evidence to go on so your professional view will suffice. Even better is a group view.
Whatever process you end up following, make it a consistent one. There are few decent tools I've found - I create my own - perhaps some of you reading this could provide some references to the methodologies and tools that you use.