- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 11:09 PM
Hi All,
Can anyone let me know how the risk scores are calculated for security incidents?
is it only depends on Business impact and priority?
What are the different types in risk score configuration? How do we calculate Users business impact,vulnerable item business impact,configuration item business impact?
Regards,
Aswathy M M
Solved! Go to Solution.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 11:15 PM
Hi Aswathy,
The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.
Following business rules trigger automatic calculation of risk scores:
- Calculate Severity
- Update risk score
- Update SI risk score
Note: The risk score is calculated using weights defined in Risk score configuration
Security Incident -> Setup -> Risk Score Configuration
Example
If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:
Security Incident Business Impact with a value of 2 = a weight of 60.
Security Incident Priority with a value of 3 = a weight of 40.
60 + 40/2 = a risk score of 50.
- The work notes are updated when the following fields are changed (causing the risk score to be updated):
- Business impacton the Security Incident form
- Priorityon the Security Incident form
- Severityon the Security Incident form (hidden by default)
- Business impacton the Affected Users related list
- Business impacton the Affected Services related list
- Business impacton vulnerabilities on the Vulnerable items related list
Risk score override (CheckBox)
Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes
You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2025 12:35 PM
This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table
https://<instance_name>/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_m[…]6eebb11c3d22200275...
Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25
SIR Risk score result = 55 How?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2025 12:36 PM
This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table
This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table
This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table
https://<instance_name>/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_m[…]6eebb11c3d222002757dccdf3d3ae91&sysparm_clear_stack=true
Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25
SIR Risk score result = 55 How?
Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25
SIR Risk score result = 55 How?
Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25
SIR Risk score result = 55 How?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2025 03:27 PM
It's working a little different for Security Incident Response.
See the attached screenshots
You'll find a field under sn_sec_cmn_risk_score_audit_list.do table called Risk score parameters.
Risk score parameters field is being filled using values that come from the Risk Score Calculator (SIR Workspace).
https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secop[…]-workspace/...
Basically it will run the calc first time based on Risk Score Calculator values using the script include sn_sec_cmn.RiskScoreUtil (generateSIRiskScore function)
After first time it will always run the same script include but the returnSIRiskScore function (Update).
And the calc is super super simple. System go to sn_sec_cmn_risk_score_audit_list.do table and pick Risk score parameters field value.
Example:
{"si":80,"si_severity":55,"si_priority":40} where we can see 3 key values and the values
Sum 80 + 55 + 40 = 175 / 3 = 58,3 that it rounded to 59 //3 is related to quatity of keys, we can include more in Risk Calculator
Please try yourself and let me know if this makes sense. Again, see the attached files, please!