This section provides orientation on customizing the default Risk Score, used for measuring the risk associated with vulnerabilities identified in technology assets by external scanners.
These vulnerabilities are detected by Qualys or NeXpose scanners and automatically mapped to technology assets in the organizational structure using mapping criteria specified for each asset. Vulnerabilities identified by scanners not supported by the system can also be manually imported to the catalogue of vulnerabilities and mapped to assets through spreadsheets.
Once imported, they can be viewed for each asset in the Vulnerabilities tab in the Organization module, or consolidated information can be viewed for the technology assets a perimeter contains in the Vulnerabilities tab for perimeters.
For details on integration tasks to automatically import and map vulnerabilities from scanners supported by the system to assets, see Chapter 17: Administration -> Integrations -> Integration Tasks. For details on importing vulnerabilities to the catalogue, see Chapter 8: Knowledge -> Risk Knowledge -> Catalogue of Vulnerabilities. Lastly, for details on manually mapping vulnerabilities from scanners not supported by the system to assets, see Chapter 5: Risk -> Vulnerability Occurrences.
These technology assets can be included in the scope of risk projects. All vulnerabilities associated with them will be displayed, and you can fetch information from the latest scans before processing them. Once processed, a Risk Score will be calculated for each vulnerability, and you can decide which to accept and which to treat.
By default, the formula used for calculating the Risk Score is as follows:
Probability x Vulnerability Level x Asset Relevance
• The probability is used to measure the likelihood that a certain vulnerability will be exploited and is scored on a scale from 1 to 5. For confirmed vulnerabilities the default value is 5, for potential vulnerabilities it is set to 4, and for all other information gathered it is set to 1.
• The vulnerability level varies on a scale of 1 to 5 and is used to indicate a vulnerability’s severity level using a metric that consolidates the three different metrics used by the scanners. The table below explains how these are calculated in the system according to the scanner that identified each:
QualysGuard Level |
NeXpose Level |
Modulo Risk Manager Level |
1 |
1 – 2 |
1 |
2 |
3 – 4 |
2 |
3 |
5 – 6 |
3 |
4 |
7 – 8 |
4 |
5 |
9 - 10 |
5 |
• The asset relevance is used to indicate the importance of the asset to the organization and varies on a scale from Very Low (1) to Very High (5). This score is specified for each asset in the Organization module.
If this default formula is modified, it will automatically go into effect throughout the system. Note, however, that it will only affect assets that have not yet been processed while the analysis phase is still open. Once the formula is applied, assets included in the scope of any risk projects must be processed again so that the Risk Score can be recalculated for them using the new formula. The default formula can be restored at any time.
Note: If the relevance of an asset is changed in the Organization module, the Risk Score will only be recalculated when the asset is reprocessed.