- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 11:09 PM
Hi All,
Can anyone let me know how the risk scores are calculated for security incidents?
is it only depends on Business impact and priority?
What are the different types in risk score configuration? How do we calculate Users business impact,vulnerable item business impact,configuration item business impact?
Regards,
Aswathy M M
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 11:15 PM
Hi Aswathy,
The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.
Following business rules trigger automatic calculation of risk scores:
- Calculate Severity
- Update risk score
- Update SI risk score
Note: The risk score is calculated using weights defined in Risk score configuration
Security Incident -> Setup -> Risk Score Configuration
Example
If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:
Security Incident Business Impact with a value of 2 = a weight of 60.
Security Incident Priority with a value of 3 = a weight of 40.
60 + 40/2 = a risk score of 50.
- The work notes are updated when the following fields are changed (causing the risk score to be updated):
- Business impacton the Security Incident form
- Priorityon the Security Incident form
- Severityon the Security Incident form (hidden by default)
- Business impacton the Affected Users related list
- Business impacton the Affected Services related list
- Business impacton vulnerabilities on the Vulnerable items related list
Risk score override (CheckBox)
Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes
You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 11:15 PM
Hi Aswathy,
The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.
Following business rules trigger automatic calculation of risk scores:
- Calculate Severity
- Update risk score
- Update SI risk score
Note: The risk score is calculated using weights defined in Risk score configuration
Security Incident -> Setup -> Risk Score Configuration
Example
If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:
Security Incident Business Impact with a value of 2 = a weight of 60.
Security Incident Priority with a value of 3 = a weight of 40.
60 + 40/2 = a risk score of 50.
- The work notes are updated when the following fields are changed (causing the risk score to be updated):
- Business impacton the Security Incident form
- Priorityon the Security Incident form
- Severityon the Security Incident form (hidden by default)
- Business impacton the Affected Users related list
- Business impacton the Affected Services related list
- Business impacton vulnerabilities on the Vulnerable items related list
Risk score override (CheckBox)
Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes
You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2019 01:58 AM
Could you please help me with below:
What are the different types in risk score configuration? How do we calculate Users business impact,vulnerable item business impact,configuration item business impact?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2019 01:34 AM
Hi Aswathy,
As I told in my previous reply there is one table inside ServiceNow called "Risk Score Configuration" where we are defining the weight of everything which affect in risk score calculation.
Security Incident -> Setup -> Risk Score Configuration
This you can update according to your need if you want (Not comprehended )
For Example:
Type | Value | ||
Security Incident Business Impact | 2 | ||
Configuration Item Business Impact | 3 - less critical | 60 | |
Security Incident Priority | 3 | 40 | |
Users Business Impact | 1 | 60 | |
Security Incident Priority | 1 | 90 | |
Security Incident Priority | 2 | 60 | |
Configuration Item Business Impact | 2 - somewhat critical | 80 | |
Configuration Item Business Impact | 4 - not critical | 40 | |
Users Business Impact | 3 | 10 | |
Security Incident Business Impact | 1 | 80 | |
Security Incident Severity | 1 | 95 | |
Security Incident Business Impact | 3 | 40 | |
Vulnerable Item Business Impact | 1 | 85 | |
Users Business Impact | 2 | 40 | |
Security Incident Severity | 2 | 55 | |
Configuration Item Business Impact | 1 - most critical | 100 | |
Security Incident Severity | 3 | 25 | |
Vulnerable Item Business Impact | 2 | 75 | |
Security Incident Priority | 5 | 10 | |
Security Incident Priority | 4 | 25 |
There are few Script include and business rule which calculate Risk Score.
Check my previous reply.
Please mark correct if this gave your answer
Regards
Sandeep
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2024 12:23 AM
Is there any possibility that we can add new Type in the Risk Score Config?