Source: OWASP
In this 2010 release, the OWASP made the following significant changes:
Attackers may search and use different paths through your application to attach Web applications.
Under the concept of risk management, each of these paths represents a risk that may or may not be serious enough to warrant attention. To determine the risk levels to an organization, the likelihood associated with the attack vector, weakness prevalende and detectability, and its technical impact needs to be analyzed (See OWASP Risk Rating Methodology).