Can anyone explain how Risk Score on Vulnerable Item and Vulnerable Group is calculated? The risk score calculator and roll-up calculator doesn't really make sense :(

Dark Knight
Giga Contributor

Can anyone explain how Risk Score on Vulnerable Item and Vulnerable Group is calculated?  The risk score calculator and roll-up calculator doesn't really make sense 😞

 

I have already gone through the attached: https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/concept/c_VulnCalcGroup.html

1 ACCEPTED SOLUTION

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there - can certainly appreciate the complexity of the two layers here and how Risk score is leveraged between them.

 

Risk score on the Vulnerable Item (VI):

  • The VI Risk score, is calculated using two inputs, and computing their average
    • CMDB CI "criticality" -> i.e. the highest criticality rating of a business service that the CI supports
    • Vulnerability "severity" -> i.e. a normalized rating from a third-party tool like Qualys, Rapid7, etc
  • The VI Risk score is a 0-100 number
    • If the CMDB CI here does not support any business services, the default value score of 50 is used
    • The "normalized" Vulnerability severity depends on the 3rd party integration 
      • e.g. for Qualys, the Qualys Severity value is taken and multiplied by 20
      • Qualys Severity of 2 -> Normalized Vulnerability Severity = 40
    • So, now we have a CI Criticality of 50  and Vulnerability Severity of 40
      • The average here is (50+40)/2 = 45
      • The VI's computed Risk score is --> 45
    • Keep in mind, as the CI criticality changes or a different 3rd party integration (Rapid7 / Tenable) is used, the CI criticality score and normalized Vulnerability severity will differ - but this is the general theory of how the VI Risk score is computed

Risk score roll-up on the Vulnerability Group (VG):

  • The VG roll-up risk score is computed using a weighted average of three values
    • Max Risk Score (highest Risk score, of a VI associated to the VG)
    • Average Risk Score (average Risk score of the VIs, associated to the VG)
    • Total count of VIs (volume of VIs, associated to the VG)
  • The base system includes default weight values that add up to 100, as follows:
    • Max Risk Score ----------------> 80
    • Average Risk Score -----------> 5
    • Count of Vulnerable Items ---> 15
  • Let's say we have a Vulnerability Group, with 3 associated Vulnerable Items, and each Vulnerable Item has a Risk Score of (75) as an example.
    • The weighted calculation would be computed as follows:
  • Max Risk Score -----------> (80*75) / 100) =  60   
  • Average Risk Score ------>  (5*75) / 100) = 3.75
  • Count of Vuln Items ----->  (15*3) / 100) = 0.45
  • Summing up the weighted values yields -> (60+3.75+0.45) = 64.2
  • The output here (64.2) would be the rollup Risk Score value, for the Vulnerability Group, based on using the baseline weighted values.  
  • I believe there there is some rounding that gets leveraged here (via math.floor) that influences the integer value of the Vuln Group Risk Score.  In this example, I am seeing {66} as the integer Vuln Group Risk Score in my lab instance.

There are some previous posts on the Community that review this topic that you can check out for reference:

- https://community.servicenow.com/community?id=community_question&sys_id=1c08f3aedb8f2700f0612183ca961919&anchor=answer_01478acfdb4b6b00656a5583ca961971&view_source=searchResult

View solution in original post

3 REPLIES 3

andy_ojha
ServiceNow Employee
ServiceNow Employee

Hey there - can certainly appreciate the complexity of the two layers here and how Risk score is leveraged between them.

 

Risk score on the Vulnerable Item (VI):

  • The VI Risk score, is calculated using two inputs, and computing their average
    • CMDB CI "criticality" -> i.e. the highest criticality rating of a business service that the CI supports
    • Vulnerability "severity" -> i.e. a normalized rating from a third-party tool like Qualys, Rapid7, etc
  • The VI Risk score is a 0-100 number
    • If the CMDB CI here does not support any business services, the default value score of 50 is used
    • The "normalized" Vulnerability severity depends on the 3rd party integration 
      • e.g. for Qualys, the Qualys Severity value is taken and multiplied by 20
      • Qualys Severity of 2 -> Normalized Vulnerability Severity = 40
    • So, now we have a CI Criticality of 50  and Vulnerability Severity of 40
      • The average here is (50+40)/2 = 45
      • The VI's computed Risk score is --> 45
    • Keep in mind, as the CI criticality changes or a different 3rd party integration (Rapid7 / Tenable) is used, the CI criticality score and normalized Vulnerability severity will differ - but this is the general theory of how the VI Risk score is computed

Risk score roll-up on the Vulnerability Group (VG):

  • The VG roll-up risk score is computed using a weighted average of three values
    • Max Risk Score (highest Risk score, of a VI associated to the VG)
    • Average Risk Score (average Risk score of the VIs, associated to the VG)
    • Total count of VIs (volume of VIs, associated to the VG)
  • The base system includes default weight values that add up to 100, as follows:
    • Max Risk Score ----------------> 80
    • Average Risk Score -----------> 5
    • Count of Vulnerable Items ---> 15
  • Let's say we have a Vulnerability Group, with 3 associated Vulnerable Items, and each Vulnerable Item has a Risk Score of (75) as an example.
    • The weighted calculation would be computed as follows:
  • Max Risk Score -----------> (80*75) / 100) =  60   
  • Average Risk Score ------>  (5*75) / 100) = 3.75
  • Count of Vuln Items ----->  (15*3) / 100) = 0.45
  • Summing up the weighted values yields -> (60+3.75+0.45) = 64.2
  • The output here (64.2) would be the rollup Risk Score value, for the Vulnerability Group, based on using the baseline weighted values.  
  • I believe there there is some rounding that gets leveraged here (via math.floor) that influences the integer value of the Vuln Group Risk Score.  In this example, I am seeing {66} as the integer Vuln Group Risk Score in my lab instance.

There are some previous posts on the Community that review this topic that you can check out for reference:

- https://community.servicenow.com/community?id=community_question&sys_id=1c08f3aedb8f2700f0612183ca961919&anchor=answer_01478acfdb4b6b00656a5583ca961971&view_source=searchResult

Thanks... this is super helpful! 

Bel_n Dom_nguez
Giga Contributor

This is very helpful! Thanks a lot 🙂