How to Calculate Security Risks

Today I worked on my security model. I spent a good amount of time creating goals and creating risks. OWASP Risk Rating Mehodology has some pretty good insights on how to rank different threats based on probability and business impact. Probability is calculated according to how exploitable, common, and detectable the attack is. The business impact is based on how much damage the attack could do to the business.
The risk = probability x impact.

Here is an example using a 0-10 scale:Lets calculate the risk for the attack: SQL Injection for (Note that this threat falls under the threat category: Injection from the OWASP Top 10:

1. Calculate Probability using the threat category.
The formula for calculating the probability would be the average: (10 x 8 x 8) / 3 ≈ 9

Exploitable Common Detectable
10 8 8

2. Calculate the Business Impact. Because does not use MySQL  the impact is NA or 0. Risk = (Probability x Impact) / 10.
Risk of SQL Injection = (9 x 0) / 10 = 0
As you can see, even though Injection [Risk – D] has a high risk,
SQL Injection (Risk – A)  has a low risk associated with because of the business impact.