Risk Score Configuration in security incident

Aswathy2
Tera Expert

Hi All,

Can anyone let me know how the risk scores are calculated for security incidents?

is it only depends on Business impact and priority?

What are the different types in risk score configuration? How do we calculate Users business impact,vulnerable item business impact,configuration item business impact?

Regards,

Aswathy M M

1 ACCEPTED SOLUTION

Sandeep Kumar6
Giga Guru

Hi Aswathy,

The risk score is calculated as an arithmetic mean that represents the risk based on the priority of a security incident, the type of security incident (Denial of Service, Spear Phishing, or Malicious code activity), and the number of sources that triggered a failed reputation score on an indicator.

Following business rules trigger automatic calculation of risk scores:

  • Calculate Severity
  • Update risk score
  • Update SI risk score

 

Note: The risk score is calculated using weights defined in Risk score configuration

Security Incident -> Setup -> Risk Score Configuration

https://<instsance_name>.service-now.com/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_modul...

 

 Example

 If a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate, the respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

 

  • The work notes are updated when the following fields are changed (causing the risk score to be updated):
    • Business impacton the Security Incident form
    • Priorityon the Security Incident form
    • Severityon the Security Incident form (hidden by default)
    • Business impacton the Affected Users related list
    • Business impacton the Affected Services related list
    • Business impacton vulnerabilities on the Vulnerable items related list

 

Risk score override (CheckBox)

Select this check box to override the automatic update of the risk score. The override will be reflected in the work notes

You can also manually enter a new Risk score. This can be useful if you want to keep a particular security incident at the top of the list of security incidents you are analyzing. If you enter a new Risk score, the Risk score override check box is automatically selected. Regardless of the changes made in the security incident, a manually-entered risk score is not automatically recalculated

View solution in original post

7 REPLIES 7

This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table
https://<instance_name>/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_m[…]6eebb11c3d22200275...

Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25

SIR Risk score result = 55 How?

This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table

This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)
Based on the OOB table

This doesn't seem to be correct! I'm trying to understand the calculation of the SIR Risk Score (Xanadu)

Based on the OOB table

https://<instance_name>/sn_sec_cmn_risk_score_weight_list.do?sysparm_userpref_m[…]6eebb11c3d222002757dccdf3d3ae91&sysparm_clear_stack=true



Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25

SIR Risk score result = 55 How?




Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25

SIR Risk score result = 55 How?



Business Impact = 1 and weight 100
Priority = 2 and weight 60
Severity = 3 and weight 25

SIR Risk score result = 55 How?

It's working a little different for Security Incident Response.

See the attached screenshots

You'll find a field under sn_sec_cmn_risk_score_audit_list.do table called Risk score parameters.

Risk score parameters field is being filled using values that come from the  Risk Score Calculator (SIR Workspace).
https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secop[…]-workspace/...

Basically it will run the calc first time based on Risk Score Calculator values using the script include sn_sec_cmn.RiskScoreUtil (generateSIRiskScore function)

After first time it will always run the same script include but the returnSIRiskScore function (Update).

And the calc is super super simple. System go to sn_sec_cmn_risk_score_audit_list.do table and pick Risk score parameters field value.

Example:
{"si":80,"si_severity":55,"si_priority":40} where we can see 3 key values and the values
Sum 80 + 55 + 40 = 175 / 3 = 58,3 that it rounded to 59 //3 is related to quatity of keys, we can include more in Risk Calculator

Please try yourself and let me know if this makes sense. Again, see the attached files, please!