How is the Risk score calculated for Vulnerability Solution

Prabhati Ghuge1 · ‎10-05-2020

Hi,

I am working on Vulnerability Response module where facing one issue. I want to know how to calculate Risk score for Vulnerability solution. I have gone through below docs link where they have given below formula but its not working.

https://docs.servicenow.com/bundle/paris-security-management/page/product/vulnerability-response/con...

The Solution record Risk score is a weighted calculation based on the vulnerable item Risk score and a count of active vulnerable items with this solution as their Potential Solution. Solution Risk score provides an estimation of the reduction in risk that the solution is expected to accomplish.

Solution record Risk score is calculated as follows:

It starts by taking 85% of the highest or maximum Risk score of an active vulnerable item with that potential solution.
Solution record Risk score then tabulates the total number of vulnerable items with that potential solution. For each range of the number of vulnerable items, it adds some points and arrives at a total.
- 0–09 vulnerable items adds no points
- 10–99 vulnerable items adds 5 points
- 100–999 vulnerable items adds 10 points
- 1000 and beyond vulnerable items adds 15 points
For example, for a vulnerable item Risk score of 80, the Solution record Risk score would start at 68. If there were 200 active total vulnerable items with that potential solution, then the final Solution Risk score would be 78.

The Solution record Risk rating separates the Solution record Risk score into ranges from Critical to None. Solution Risk rating rates the risk reduction for the vulnerable items that this solution remediates.

Risk ratings separate the resulting Solution Risk score into the following ranges:

1 — Critical (90+ Solution Risk score)
2 — High (70-89 Solution record Risk score)
3 — Medium (30-69 Solution record Risk score)
4 — Low (1-29 Solution record Risk score)
5 — None (0 Solution record Risk score)

In my case, Total number of Vulnerability items are 2 with max risk score as 100. So as per above formula, the risk score for solution should be 85% of 100 which is 85 but showing 65.

Can someone please assist.

Thanks.

Regards,

Prabhati

andy_ojha · ‎10-05-2020

Hey there,

Can appreciate the complexity here with the moving parts.

When you say x2 Vulnerable Items ... what flavour are these?

Two Vulnerable Items that have this Solution, as a "Preferred Solution"?
Two Vulnerable Items that have this Solution, as a "Potential Solution"?

These x2 factors are different, and will drive different Risk scores on the Solution Record.

Can you navigate to the Solution record you are analyzing, and click on the [Remediation Status] tab:

Scroll down to "Potential Solution Targets"
Is the count higher than 2?

Prabhati Ghuge1 · ‎10-05-2020

Hi,

Please find the below screenshot for remediation status. There are two active VIs with risk score as 100 and solution risk score still shows as '65'.

andy_ojha · ‎10-05-2020

Hey there,

As we see below in your screenshot, there are 27 Vulnerable Items, that have this 'Solution' as a Potential Solution.

That is also factored into the calculation for the Solution - Risk score (it doesn't just look at Vulnerable Items with this Solution, as the Preferred Solution).

On the Solution Record, under "Related Links", you should see a [Update Status] button.

If you click that, do the numbers change on your record (2 preferred VIs, 27 potential solutions)? Does the Risk score change from '65'?

Prabhati Ghuge1 · ‎10-05-2020

Hi,

I clicked on update status link but that did not change the risk score or items count.

Could you please share one example and let me know how is it getting calculated.

Thanks.

Regards,

Prabhati