Calculating the USR

This topic provides orientation on what the USR is and how it is used for events in the Workflow module.

Events use the USR as a measure of priority of the event, based on its urgency (U), severity (S), and relevance (R). These three have values between 1 and 5, whose respective meanings are established in the table below:

The USR is a metric similar to the PSR and is calculated by multiplying the urgency by the severity by the relevance, each of which is scored on a scale from 1 to 5 (1 = Very Low and 5 = Very High), which can be customized in the Scales section of the Administration module. The table below shows the only possible values for the USR and the corresponding USR Levels for each:

The system will suggest USR values for each type of event based on certain criteria, described below. Note that these values can be modified each time the properties of an event are edited.

Generic and Custom Events: These are created manually in the Workflow module, and are not linked to projects. The default values suggested by the system for the USR are 3, 3, and 3, for a total of 27 (USR Level = Medium).

Risk Treatment Events: Risk treatment events are divided into two subtypes: controls and vulnerabilities. They are generated in the Evaluation phase of risk projects, where the vulnerabilities and non-implemented controls are listed so that risk managers can decide which to treat and which to accept. These events can treat individual or multiple risks. In addition, parent events can be created for assets and child events can be created for the controls or vulnerabilities related to them.

Three options are available to create risk treatment events related to controls.

•    Create one event for each control: In risk events that treat non-implemented controls individually, the default USR score is equal to the PSR score of the control. The relevance and severity scores are then kept, while the probability becomes the urgency score.

•    Create one event for all controls: For consolidated treatment events, one event is created for all controls and the USR calculation considers the control associated with the asset that has the highest relevance score. If this relevance score is the same for more than one control, their severity scores will be taken into consideration instead. For example, if three controls have probability, severity, and relevance scores equal to 1 x 2 x 5 / 1 x 3 x 5 / 5 x 5 x 4, respectively, the values of the last control will not be considered because it has the lowest relevance score. However, as the relevance scores for the two remaining controls are equal, their severity scores will be used as a reference instead. In this case, between the two remaining controls, the one with the highest severity score will be used. Thus, the USR (1 x 3 x 5) will be used as the USR score for the event. Note that the probability of the control will become the urgency of the event, and if the severity of the two controls were the same, their urgency scores would have been taken into consideration.

•    Create a parent event for each asset and child events for the associated controls: Aside from consolidated treatment events, there are treatment events in which a parent event is created for an asset and child events are created for each non-implemented control related to that asset. The way in which the USR score is calculated for these events is very similar to the way that it is calculated when one event is created for all controls. However, since the relevance of the controls comes from the assets, and an event is created for each asset, the relevance for the child events will be the same as the relevance of their parent event. Thus, the USR calculation considers the child event with the highest severity score, and if this severity score is the same for more than one child event, their urgency scores will be taken into consideration instead.

Below are the three options available to create risk treatment events based on vulnerabilities.

•    Create one event for each vulnerability: For events treating vulnerabilities individually, the default USR score is calculated as follows:

Note: If the formula for the Risk Score is customized in the Administration module, the urgency score may exceed 5, but the maximum value considered for suggesting a USR score will not be higher than 5. This means that if the urgency score is greater than 5, the value used in the calculations will be 5. Any decimal values will also be rounded up or down.

•    Create one event for all vulnerabilities: For consolidated events treating vulnerabilities, the way the USR is calculated is similar to that of consolidated risk treatment events for controls. The vulnerability associated with the asset with the highest relevance score will be used to calculate the USR for the treatment event. If the highest relevance score is shared by two assets or more, the severity scores of these vulnerabilities will be taken into consideration instead. If the highest severity score is also the same for more than one vulnerability, the urgency will be considered instead.

•    Create a parent event for each asset and child events for the associated vulnerabilities: In this case, a parent event is created for an asset and child events are created for each vulnerability related to that asset. Since the relevance of the vulnerability comes from the asset, the relevance of the child events will be the same as the relevance of their parent event. The USR calculation considers the child event with the highest severity score, and if this severity score is the same for more than one child event, their urgency scores will be taken into consideration instead.

Non-Compliance Treatment Events: These are generated in the Evaluation phase of a compliance project, where non-compliant requirements are listed so that compliance managers can decide which to treat and which to accept. Non-compliances can be treated per non-compliant requirement (individually) or in groups (consolidated).

In events treating non-compliances individually, the urgency and severity scores, used to calculate the USR, are based on the Compliance Index and Compliance Level, according to the tables below. The relevance score, however, will always be equal to 3.

In the case of consolidated events, the USR score is based on the requirement with the highest urgency level. If the highest urgency score is shared by more than one requirement, the severity scores of these requirements will be considered instead. The relevance, however, will always be equal to 3. For example, if a consolidated event is created to treat three non-compliant requirements with urgency, severity, and relevance scores corresponding to 3 x 5 x 5 / 4 x 1 x 1 / 4 x 2 x 1, respectively, the values of the first requirement will not be considered, as it has the lowest urgency score. For the remaining requirements, the severity scores will be used for reference. As the last requirement has the highest severity score, its metrics will be used to calculate the USR of the treatment event, 4 x 2 x 3.

Events Associated with Enterprise Risks: Generic or custom events for which the association with enterprise risks has been enabled are used to treat enterprise risks and can be created manually in the ERM solution.

When the events are created, the values suggested by the system for the USR will vary according to the level of the Qualitative Risk Score, which is obtained by multiplying the Inherent Probability Level by the Inherent Impact Level of the associated enterprise risk.

The Inherent Probability and Impact Levels range from 1 to 5 and, as a result of the multiplication, the Qualitative Risk Score Level can range from 1 to 25. These levels are determined by scales configured in the Scales section of the Administration module.

The default levels for the urgency, severity, and relevance of the event will be the same as the Qualitative Risk Score Level of the associated enterprise risk. For example, an enterprise risk with a Qualitative Risk Score level of Very Low will have an associated event with an urgency, severity, and relevance level also set to Very Low and a USR score of 8 (2x2x2).

Events Associated with Plans: Generic or custom events for which the association with continuity plans has been enabled are used to treat plans and can be created manually in the Continuity module. The default values suggested by the system for these events will be a USR of 3, 3, and 3, for a total of 27 (USR Level = Medium).

Workflow App Events: Events created through the Workflow app can be managed in the Workflow module and are not linked to projects. The default values for the severity and relevance of these events are set when the app is registered as an authorized application in the Administration module. The values will correspond to those selected for the Severity and Relevance fields of the "Manage events from the Workflow module" option in the Available Features tab of the Authorized Applications section. The default urgency is configured in the Workflow app during event creation and will be the same as the event urgency in the Workflow module.