When you read the OWASP risk evaluation standard carefully you might get as confused as I got. They estimate the risk by first estimating the likelihood and then estimating the technical and business impact. The estimation is done by assigning the numbers 0..9 to a number of factors.
So far so good. Most of it makes perfect sense, but I was a little bit confused about the following factor:
What resources and opportunity are required for this group of
attackers to find and exploit this vulnerability? No access or special
resources (0), limited access and resources (4), special access or
resources (7), full access or expensive resources (9)
According to this factor the likelihood of an attack increases when more access to the application and more expensive resources are required on the attacker's side. I dare to doubt that