People may ask me, what’s up with my risk metrics research because I wrote several times, that I’m working on such stuff. It’s true that I’m still working on that because I really love that topic but it has a very low priority in my actual research time. I’ve some ideas which I think that these are very interesting and as soon as I’ve got more time for it, I’ll work again more intensive on it. To not write a book about it now in my blog, just the following information: I’ll try to build a calculation model which calculates not only the risk of one finding and then out of this you can calculate the over all risk no, my approach is to build it more like a network in which you can have your findings and then simulate whole attack scenarios in it and calculate the risk of these (of course you’ll also be able to still have the other values of single vulnerabilities and so on). Also for me it makes sense to build a layer model to put findings in but this layer model seems to work also for development and (security) testing in it’s actual state which makes it very useful to a big group of people.

This was just as a short information but if you like to talk to me about this, just offer me a beer and bring some time and your own ideas with you