Risk score configuration

cbester
Tera Contributor

Hi, I'm just getting started with Security incident response, and I'm lost on how the risk score gets calculated out of the box. I'm trying to go through the RiskScoreUtil script include, but just wondering if someone else has already done this, and has an easy explanation of how it works? Or, maybe there's some documentation that I've missed?

Thanks!

3 REPLIES 3

VaranAwesomenow
Mega Sage

Security incident risk score calculators

The Set priority with category and services and Set priority with observables calculators are used to calculate a risk score for a security incident.



below is the screen shot of the risk calculator record for " Set priority with category and services "



url = https://<instance_name>.service-now.com/sn_si_calculator.do?sys_id=f49fd1ccc36222002757dccdf3d3aeb7&sysparm_record_target=sn_si_calculator&sysparm_record_row=1&sysparm_record_rows=8&sysparm_record_list=ORDERBYorder


find_real_file.png




Thanks


Anil


cbester
Tera Contributor

Here's what I've figured out, just in case anyone else is struggling when first setting up Sec Ops

 

Risk Score Calculations

 

Basic configuration:

 

Field

Value

Weight

Business Impact

1 – Critical

80

 

2 – High

60

 

3 – Medium

40

Priority

1 – Critical

90

 

2 – High

60

 

3 – Medium

40

 

4 – Low

25

 

5

10

Severity

1

95

 

2

55

 

3

25

 

 

 

 

 

Business Impact is set manually. 

Priority is set manually. The risk score is set up for 5 values, but we only have 4 (how it was set up out of the box)

Severity – this field is hidden, but could be added. It is set to 2 as a default

 

Risk score is calculated by taking the value for each of the fields, and getting an average.

 

For example, Business Impact = 2 -> 60

                        Priority = 0 -> 0

                        Severity = 2 -> 55

 

(60 + 0 + 55) / 3 = 58  Risk Score 58

 

Change priority to 3 -> 40

 

(60 + 40 + 55) / 3 = 52 Risk Score 52

 

 *** I have noticed that the affected user is also brought in to the equation. But, we don't have any user rules set up, so the weight for affected user is always set to 10 oob.

Additional Configuration:

 

Examples from ServiceNow

  1. Set priority to critical when business impact of affected service (based on CI) is critical and category is Denial of Service or Spear Phishing or Malicious code activity
  2. Set values based on the criticality of the affected business service.
  • If the business criticality of the service is 1 – most critical, then impact = 1, risk = 2, priority = 1, severity = 1.
  • If the business criticality of the service is 2 – somewhat critical, then impact = 2, risk = 3, priority = 3, severity =2
  • Etc
  1. Set the severity = 1 if attack vector contains web and email and impersonation
  2. Set the severity = 1 for given business units (so, in this case, add the business unit to the form, either set it manually or from the affected person)
  3. Set risk, impact, priority, severity to 1 if the affected service is 1 – most critical
  4. Can set up a calculator to change the business impact based on user values

Dave Smith1
ServiceNow Employee
ServiceNow Employee

Check Security Incident > Setup > Risk Score Configuration to see how the weightings work.