How to Edit the Default Risk Score

1.    Access the Administration module.

2.    Select Risk Score from the Customizations option on the menu.

 

The system displays a screen showing the default formula and an editing area where it can be customized (see figure below).

 

 

3.    To customize the formula, you can select one of the variables from the Variables field. The variable selected will appear in the editing area below the field and can then be combined with the operators and functions available to create the new formula.

 

Note: Formulas can be comprised of one or more lines separated by semicolons (;). The value returned will be calculated according to the result of the last line executed.

The most common syntax is shown below, with [x] as optional:

Line 1:                   [variable A] = <expression 1>;

Line 2:                   [variable B] = <expression 2>;

Line N:                  [variable Z] = <expression N>;

 

For further details on the syntax of these formulas, access the link below:

http://www.springframework.net/doc-latest/reference/html/expressions.html

 

The tables below list the variables, operators, and functions available and their descriptions:

Variable

Description

AssetCriticality

Criticality set in the Organization module for the asset in which the vulnerability was identified. This value ranges from 0.00 to 100.00.

AssetRelevance

Relevance set in the Organization module for the asset in which the vulnerability was identified. This value ranges from 1 (Very Low) to 5 (Very High).

CvssScore

CVSS indicator for the vulnerability.

VulnerabilityLevel

Severity level of the vulnerability, which ranges from 1 (Very Low) to 5 (Very High).

VulnerabilityType

Type of vulnerability, which may be assume one of the following values: VulnType.Information, VulnType.Potential, VulnType.Confirmed.

 

Relational Operators

Description

==

Returns true if two elements are equal and false if otherwise. For example: “#result = #var == 1”

!=

Returns true if two elements are different and false if otherwise. For example: “#result = #var != 1”

Returns true if the element on the left is less than or equal to the element on the right. For example: “#result = #var < 1”

<=

Returns true if the element on the left is less than or equal to the element on the right. For example: “#result = #var < = 1”

Returns true if the element on the left is greater than the element on the right. For example: “#result = #var > 1”

>=

Returns true if the element on the left is greater than or equal to the element on the right. For example: “#result = #var > = 1”

in

Returns true if the element is contained in the array. For example: “#result = 3 in {1,2,3,4}”

between

Returns true if the element is contained in the interval specified. For example: “#result = 3 between {1,4}”

 

Logical Operators

Description

or

Returns true if a condition is met. For example: “#result = (#var == 1) or (#var == 2)”

and

Returns true if all conditions are met. For example: “#result = (#var != 1) and (#var != 2)”

!

Negates the Boolean result of an expression. If the result is true it returns false. If false it returns true. For example: “#result = !(2 == 1)”

 

Mathematical Operators

Description

+

Addition. For example: “#result = 2 + 3”

Returns: 5

-

Subtraction. For example: “#result = 2 – 3”

Returns: -1

*

Multiplication. For example: “#result = 2 * 3”

Returns: 6

/

Division. For example: “#result = 2.0 / 3.0”

Returns: 0.66666

%

Modulus. For example: “#result = 3.0 % 2.0”

Returns: 1

^

Exponent. For example: “result = 2 ^ 3”

Returns: 8

 

Attribution and Variables

Description

=

Used for attributions to a variable. For example: “#var = 5”

#name

Declares the name of a variable. For example: “#var = ‘hello’”

 

Conditional Operator

Description

<Boolean expression> ? <if true then…? : <if false then…>

Creates a condition to evaluate before executing an expression. For example: #var > 5 ? ‘High’ : ‘Low’

 

Functions and Mathematical Constants

Description

E

Returns established by the Math class of the .NET Framework 4.5. See: http://msdn.microsoft.com/en-us/library/system.math.aspx.

PI

Abs(double value)

Acos(double d)

Asin(double d)

Atan(double d)

Atan2(double y, double x)

BigMul(int a, int b)

Ceiling(double a)

Cos(double d)

Cosh(double value)

Exp(double d)

Floor(double d)

IEEERemainder(double x, double y)

Log(double d)

Log(double a, double newBase)

Log10(double d)

Max(double val1, double val2)

Min(double val1, double val2)

Pow(double x, double y)

Round(double a)

Round(double value, int digits)

Sign(double value)

Sin(double a)

Sinh(double value)

Sqrt(double d)

Tan(double a)

Tanh(double value)

Truncate(double d)

 

Other Functions

Description

Lookup(double value, double search, double result, …, default)

Function to query within a collection of items.

For example:      Lookup(VulnerabilityType,

                                VulnerabilityType.Gathered, 1,

                                VulnerabilityType.Potential, 2,

                                VulnerabilityType.Confirmed, 3,

                                0)

Returns 1, 2, 3, or 0 depending on the Vulnerability.Type variable. If no possible VulnerabilityType values are assumed it returns 0.           

 

4.    Click Validate Formula for the system to check if the formula is valid. If you want to restore the default formula, click Restore Default Formula.

 

The system displays a success message.

 

5.    When finished, click Apply Settings to apply changes made. The changes will go into effect immediately when assets are next processed in risk projects.

 

The system displays a success message.