Thanks Andy, I was waiting for your response. 

I found the table : sn_vul_rollup which has setting as you shown in the link. But I am not able to understand the calculation. 

My understanding was vul group risk score  = ( vul item 1 risk score +vul item 2 risk score ...)/no.of items

But this seems to be wrong. Can you please give me one example to understand this calculation. It's very complicated. 

Hey Swathi - I can appreciate your comment here 🙂

The risk score is a bit complex, but when you start to work with it and become more familiar it will become easier to understand, and become a reliable way to normalize all information at hand.

I would say, one way to look at it is that the Vulnerable Item 'Risk Score' represents the "average of the CI Criticality and Vulnerability Severity"

The CI Criticality and Vulnerability Severity are uniquely computed values, where each of them will be a value between (0 to 100).  After the CI Criticality value is computed and the Vulnerability Severity is computed, the average of them creates the Vulnerable item Risk Score.

The CI Criticality is determined from business services that the CI (i.e. asset) supports, based on the current CMDB information.  If a CI supports multiple business services, then the highest criticality rating of the business services' that CI supports is used.  The output here is a (0 to 100) based on the computed CI criticality.  If a CI does not support any business services, a default value of (50) is used for the CI Criticality.

The Vulnerability Severity will vary depending on the source of the vulnerability (e.g. Qualys, Tenable, Rapid7).  Each third party vulnerability tool has their own scoring system, and the calculator here normalizes the various scoring systems of each third-party tool by using a multiplier.

Vulnerability Severity:

- Qualys (Severity * 20)
- Tenable SC (Severity * 25)
- Rapid7 (Severity * 10)

Qualys has a 1 to 5 Severity value, so the Vulnerability Severity takes the Qualys Severity value, and multiplies it by 20, to compute the (0 to 100) Vulnerability Severity Value.

After the CI Criticality and Vulnerability Severity are calculated, the average of these values is taken to create the Vulnerable Item Risk Score.

Example:

Let's say we have a Vulnerable Item, with a CI that does not support any business services, and Vulnerability from Qualys with a Severity of 5.

The CI Criticality score would default to 50.

The Vulnerability Severity score would be (5 * 20) = 100.

The average of these scores is (50 + 100) / 2 = 75

The Vulnerable Item's Risk Score, would then be set to 75.

Hey Swathi - I can appreciate the complexity here - looks like an opportunity to improve the docs page with some examples.

The Vul Group Risk score is calculated from the rollup calculator - this uses a weighted average approach.

You can control the weight value configuration from the Vulnerability -> Administration -> Vulnerability Rollup Calculator, module...

In the base system the weight values are:

Let's say we have a Vulnerability Group, with 3 associated Vulnerable Items, and each Vulnerable Item has a Risk Score of (75).

The weighted calculation would be computed as follows.

Max Risk Score -----------> (80*75) / 100) =  60   
Average Risk Score ------>  (5*75) / 100) = 3.75
Count of Vuln Items ----->  (15*3) / 100) = 0.45

Summing up the weighted values yields -> (60+3.75+0.45) = 64.2

The output here (64.2) would be the rollup Risk Score value, for the Vulnerability Group, based on using the baseline weighted values.  

I believe there there is some rounding that gets leveraged here (via math.floor) that influences the integer value of the Vuln Group Risk Score.  In this example, I am seeing {66} as the integer Vuln Group Risk Score in my lab instance.

Hope that helps.