Changing the default risk score scale for risk ratings.

dan167 · ‎12-17-2024

Hello,

Does anyone know where I would go to adjust the risk score rating scale? Say if my employer want a risk score of 60 and above to be critical (just an example), where would I adjust the scale to say risk score 60-100 should = critical?

andy_ojha · ‎12-18-2024

Hey there - Great question.

In earlier releases of VR, the Risk Score -> Risk Rating mapping was hardcoded in a Script Include (VulnerabilityUtils), and modifying that came with tech debt.

Today, you can configure the Risk Score -> Risk Rating mappings, by going to the Risk Score Weight table, filtering on the flavor of VR you want to make this configuration for (e.g. VR, Cloud VR, CC) and updating the ranges.

In the left nav, you would type [sn_sec_cmn_risk_score_weight.list] to get to the table, then filter the "Type" as needed (e.g. Vulnerability Response Risk Rating).

The "Weights" would be the Risk Score (0 - 100) Ranges, and the "Value" would be the outcome, i.e. the Risk Rating (1 - Critical, 2 - High, 3 - Medium, 4 - Low, 5 - None).

If you really needed to adjust the Risk Score -> Risk Rating scale, you would update the Weight values for the ranges you have in mind (e.g. lowering the threshold for Risk Rating of Critical, to start at 80 instead of 89).

Keep in mind, these baseline values do reflect the same flavor of mappings as seen in CVSS v3,/v4 Scores to Severity ratings, as a starting point:
- https://nvd.nist.gov/vuln-metrics/cvss

Reference:

- https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/container-vulnerabili...

View solution in original post

andy_ojha · ‎12-18-2024

Hey there - Great question.

In earlier releases of VR, the Risk Score -> Risk Rating mapping was hardcoded in a Script Include (VulnerabilityUtils), and modifying that came with tech debt.

Today, you can configure the Risk Score -> Risk Rating mappings, by going to the Risk Score Weight table, filtering on the flavor of VR you want to make this configuration for (e.g. VR, Cloud VR, CC) and updating the ranges.

In the left nav, you would type [sn_sec_cmn_risk_score_weight.list] to get to the table, then filter the "Type" as needed (e.g. Vulnerability Response Risk Rating).

The "Weights" would be the Risk Score (0 - 100) Ranges, and the "Value" would be the outcome, i.e. the Risk Rating (1 - Critical, 2 - High, 3 - Medium, 4 - Low, 5 - None).

If you really needed to adjust the Risk Score -> Risk Rating scale, you would update the Weight values for the ranges you have in mind (e.g. lowering the threshold for Risk Rating of Critical, to start at 80 instead of 89).

Keep in mind, these baseline values do reflect the same flavor of mappings as seen in CVSS v3,/v4 Scores to Severity ratings, as a starting point:
- https://nvd.nist.gov/vuln-metrics/cvss

Reference:

- https://www.servicenow.com/docs/bundle/xanadu-security-management/page/product/container-vulnerabili...

dan167 · ‎12-18-2024

ok so it only shows you the top end of the weight on that table. I found that before but was looking for something that had a range in it like "20-30 = high".

I updated the table to show like the image below. With how I have it updated critical should start at 75 since Value 2 (High) stops at 74?

andy_ojha · ‎12-18-2024

In that example config, a 75 would actually come out to Value 1 (since it is greater than 74 - Value 2).

A 74, would come out to a Value 2.

Think of it as (Greater than or equal to)...

dan167 · ‎12-18-2024

Would you also be able to tell me how to add a new Risk Rating. Company wants to add a new rating for "Zero Day" or something like that. I have updated the dictionary entry but not sure if there is anything else needed.