Hey there - can certainly appreciate the complexity of the two layers here and how Risk score is leveraged between them.

Risk score on the Vulnerable Item (VI):

• The VI Risk score, is calculated using two inputs, and computing their average
• • CMDB CI "criticality" -> i.e. the highest criticality rating of a business service that the CI supports
  • Vulnerability "severity" -> i.e. a normalized rating from a third-party tool like Qualys, Rapid7, etc
• The VI Risk score is a 0-100 number
• • If the CMDB CI here does not support any business services, the default value score of 50 is used
  • The "normalized" Vulnerability severity depends on the 3rd party integration 
  • • e.g. for Qualys, the Qualys Severity value is taken and multiplied by 20
    • Qualys Severity of 2 -> Normalized Vulnerability Severity = 40
  • So, now we have a CI Criticality of 50  and Vulnerability Severity of 40
  • • The average here is (50+40)/2 = 45
    • The VI's computed Risk score is --> 45
  • Keep in mind, as the CI criticality changes or a different 3rd party integration (Rapid7 / Tenable) is used, the CI criticality score and normalized Vulnerability severity will differ - but this is the general theory of how the VI Risk score is computed

Risk score roll-up on the Vulnerability Group (VG):

• The VG roll-up risk score is computed using a weighted average of three values
• • Max Risk Score (highest Risk score, of a VI associated to the VG)
  • Average Risk Score (average Risk score of the VIs, associated to the VG)
  • Total count of VIs (volume of VIs, associated to the VG)
• The base system includes default weight values that add up to 100, as follows:
• • Max Risk Score ----------------> 80
  • Average Risk Score -----------> 5
  • Count of Vulnerable Items ---> 15

• Let's say we have a Vulnerability Group, with 3 associated Vulnerable Items, and each Vulnerable Item has a Risk Score of (75) as an example.
• • The weighted calculation would be computed as follows:

• Max Risk Score -----------> (80*75) / 100) =  60   
• Average Risk Score ------>  (5*75) / 100) = 3.75
• Count of Vuln Items ----->  (15*3) / 100) = 0.45

• Summing up the weighted values yields -> (60+3.75+0.45) = 64.2
• The output here (64.2) would be the rollup Risk Score value, for the Vulnerability Group, based on using the baseline weighted values.  
• I believe there there is some rounding that gets leveraged here (via math.floor) that influences the integer value of the Vuln Group Risk Score.  In this example, I am seeing {66} as the integer Vuln Group Risk Score in my lab instance.

There are some previous posts on the Community that review this topic that you can check out for reference:

- https://community.servicenow.com/community?id=community_question&sys_id=1c08f3aedb8f2700f0612183ca961919&anchor=answer_01478acfdb4b6b00656a5583ca961971&view_source=searchResult