- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 07:51 PM
Can anyone explain how Risk Score on Vulnerable Item and Vulnerable Group is calculated? The risk score calculator and roll-up calculator doesn't really make sense 😞
I have already gone through the attached: https://docs.servicenow.com/bundle/london-security-management/page/product/vulnerability-response/concept/c_VulnCalcGroup.html
Solved! Go to Solution.
- Labels:
-
Vulnerability Response

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 08:25 PM
Hey there - can certainly appreciate the complexity of the two layers here and how Risk score is leveraged between them.
Risk score on the Vulnerable Item (VI):
- The VI Risk score, is calculated using two inputs, and computing their average
- CMDB CI "criticality" -> i.e. the highest criticality rating of a business service that the CI supports
- Vulnerability "severity" -> i.e. a normalized rating from a third-party tool like Qualys, Rapid7, etc
- The VI Risk score is a 0-100 number
- If the CMDB CI here does not support any business services, the default value score of 50 is used
- The "normalized" Vulnerability severity depends on the 3rd party integration
- e.g. for Qualys, the Qualys Severity value is taken and multiplied by 20
- Qualys Severity of 2 -> Normalized Vulnerability Severity = 40
- So, now we have a CI Criticality of 50 and Vulnerability Severity of 40
- The average here is (50+40)/2 = 45
- The VI's computed Risk score is --> 45
- Keep in mind, as the CI criticality changes or a different 3rd party integration (Rapid7 / Tenable) is used, the CI criticality score and normalized Vulnerability severity will differ - but this is the general theory of how the VI Risk score is computed
Risk score roll-up on the Vulnerability Group (VG):
- The VG roll-up risk score is computed using a weighted average of three values
- Max Risk Score (highest Risk score, of a VI associated to the VG)
- Average Risk Score (average Risk score of the VIs, associated to the VG)
- Total count of VIs (volume of VIs, associated to the VG)
- The base system includes default weight values that add up to 100, as follows:
- Max Risk Score ----------------> 80
- Average Risk Score -----------> 5
- Count of Vulnerable Items ---> 15
- Let's say we have a Vulnerability Group, with 3 associated Vulnerable Items, and each Vulnerable Item has a Risk Score of (75) as an example.
- The weighted calculation would be computed as follows:
- Max Risk Score -----------> (80*75) / 100) = 60
- Average Risk Score ------> (5*75) / 100) = 3.75
- Count of Vuln Items -----> (15*3) / 100) = 0.45
- Summing up the weighted values yields -> (60+3.75+0.45) = 64.2
- The output here (64.2) would be the rollup Risk Score value, for the Vulnerability Group, based on using the baseline weighted values.
- I believe there there is some rounding that gets leveraged here (via math.floor) that influences the integer value of the Vuln Group Risk Score. In this example, I am seeing {66} as the integer Vuln Group Risk Score in my lab instance.
There are some previous posts on the Community that review this topic that you can check out for reference:
- https://community.servicenow.com/community?id=community_question&sys_id=1c08f3aedb8f2700f0612183ca961919&anchor=answer_01478acfdb4b6b00656a5583ca961971&view_source=searchResult

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 08:25 PM
Hey there - can certainly appreciate the complexity of the two layers here and how Risk score is leveraged between them.
Risk score on the Vulnerable Item (VI):
- The VI Risk score, is calculated using two inputs, and computing their average
- CMDB CI "criticality" -> i.e. the highest criticality rating of a business service that the CI supports
- Vulnerability "severity" -> i.e. a normalized rating from a third-party tool like Qualys, Rapid7, etc
- The VI Risk score is a 0-100 number
- If the CMDB CI here does not support any business services, the default value score of 50 is used
- The "normalized" Vulnerability severity depends on the 3rd party integration
- e.g. for Qualys, the Qualys Severity value is taken and multiplied by 20
- Qualys Severity of 2 -> Normalized Vulnerability Severity = 40
- So, now we have a CI Criticality of 50 and Vulnerability Severity of 40
- The average here is (50+40)/2 = 45
- The VI's computed Risk score is --> 45
- Keep in mind, as the CI criticality changes or a different 3rd party integration (Rapid7 / Tenable) is used, the CI criticality score and normalized Vulnerability severity will differ - but this is the general theory of how the VI Risk score is computed
Risk score roll-up on the Vulnerability Group (VG):
- The VG roll-up risk score is computed using a weighted average of three values
- Max Risk Score (highest Risk score, of a VI associated to the VG)
- Average Risk Score (average Risk score of the VIs, associated to the VG)
- Total count of VIs (volume of VIs, associated to the VG)
- The base system includes default weight values that add up to 100, as follows:
- Max Risk Score ----------------> 80
- Average Risk Score -----------> 5
- Count of Vulnerable Items ---> 15
- Let's say we have a Vulnerability Group, with 3 associated Vulnerable Items, and each Vulnerable Item has a Risk Score of (75) as an example.
- The weighted calculation would be computed as follows:
- Max Risk Score -----------> (80*75) / 100) = 60
- Average Risk Score ------> (5*75) / 100) = 3.75
- Count of Vuln Items -----> (15*3) / 100) = 0.45
- Summing up the weighted values yields -> (60+3.75+0.45) = 64.2
- The output here (64.2) would be the rollup Risk Score value, for the Vulnerability Group, based on using the baseline weighted values.
- I believe there there is some rounding that gets leveraged here (via math.floor) that influences the integer value of the Vuln Group Risk Score. In this example, I am seeing {66} as the integer Vuln Group Risk Score in my lab instance.
There are some previous posts on the Community that review this topic that you can check out for reference:
- https://community.servicenow.com/community?id=community_question&sys_id=1c08f3aedb8f2700f0612183ca961919&anchor=answer_01478acfdb4b6b00656a5583ca961971&view_source=searchResult
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 09:05 PM
Thanks... this is super helpful!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-25-2019 06:10 AM
This is very helpful! Thanks a lot 🙂