If you ask 10 security professionals that perform risk evaluations how that measure risk and what is important, you will probably get 9 different answers. There is a slim change that 2 might agree. Below are three possible approaches to risk evaluation:
(1) Do you use a well defined methodology such as the NITST SP 800-30, Risk Management for Information Technology Systems? You follow it religiously never wavering from the formula and the living by the numbers. If it comes out at the top of the list, then you address it first without fail.
(2) Or do you use a “fly by the seat of your pants”, “this is how it feels” system? Maybe you read about an exploit for the same vulnerability, so it is at the top of the list. No scientific approach, not a repeatable process (at least not one that works the same way every time). Maybe that application has little value in your mind or the application owner pissed you off once, so you make it painful for them. This is not the recommended approach to risk management.
(3) Maybe you are using a combination of the two, where you incorporate some level of structure around the vulnerability, but reserve the ability to adjust based on your gut feeling after many years of Information Security practice?
Option 3 is the option I feel currently works best for my situation. For applications, systems, and projects/initiatives, I have criteria based on vulnerability scan, type of data, how users will access the data, whether system is considered critical to the company. Additionally, there is a set of questions based on a set of standard IT controls, and based on how these are answered; they get entered on a risk matrix. Here is where the gut feel comes in…when answering impact and likelihood of these vulnerabilities. IT controls directly implemented for this system, enterprise controls, and manual controls, etc… are all considered when making these evaluations. This system is repeatable with the ability to make some judgment based the specific factors around the system being evaluated.
If you need a new risk evaluations methodology…probably only the 1st or 3rd options above are recommended. If choose the 2nd option, good luck.