Risk score on Remediation task

Shaik22 · ‎02-12-2024

Hello,

For example,5 vulnerable items are associated with remediation task. There are different risk scores on each vulnerable item(50,75,100,80,95). How risk score is populated on Remediation Task. Please help me on this it would be very helpful.

Community Alums · ‎02-12-2024

Hi @Shaik22 ,

You can determine the risk score calculators to generate risk scores that use the vulnerability and asset data unique to your organization.

Example of determining risk rule calculators scores

The following example demonstrates how scores for risk rule calculators are determined.

Assume that a risk rule calculator is configured with the fields in this table:


Field	Weightage	Weight breakdown
Vulnerability.Severity	50	Default: 20 1 - Critical: 100 2 - High: 80 3 - Medium: 60 4 - Low: 40 5 - None: 20
Vulnerability.Exploit Exists	50	Default: 50 Yes: 100 No: 0

Also, assume that the vulnerable items that are shown in this table are present in the system:


ID	Vulnerability severity	Vulnerability exploit exists
VIT00001	1 - Critical	1 - Yes
VIT00002	2 - High	1 - Yes
VIT00003	3 - Medium	2 – No
VIT00004	4 - Low	2 – No
VIT00005	5 - None	2 – No

The risk score calculation for the vulnerable items is calculated based on the formula:

Risk Score = (W(severity) * FV (severity). + W(exploitexists) * FV(exploit exists)) / 100

where W is the weight and FV is the weight percentage of the field value.

The resulting risk score for these vulnerable items is described in this table:


ID	Vulnerability severity (50%)	Vulnerability exploit exists (50%)	Resultant risk score
VIT00001	1 – Critical (50% x 100)	1 – Yes (50% x 100)	100
VIT00002	2 – High (50% x 80)	1 – Yes (50% x 100)	90
VIT00003	3 – Medium (50% x 60)	2 – No (50% x 0)	30
VIT00004	4 – Low (50% x 40)	2 – No (50% x 0)	20
VIT00005	5 - None (50% x 20)	2 – No (50% x 0)	10

Note: For VIT00005, because the value of the severity is empty, the default weightage is applied.

If the weightage percentage is changed for one of the field values, see this table for the results:


Field	Weightage	Weight breakdown
Vulnerability.Severity	50	Default: 20 1 - Critical: 100 2 - High: 70 *revised value 3 - Medium: 60 4 - Low: 40
Vulnerability.Exploit Exists	50	Default: 50 Yes: 100 No: 0

The risk score for the vulnerable items after reapplying the calculator is shown in this table:


ID	Vulnerability severity (50%)	Vulnerability exploit exists (50%)	Resultant risk score
VIT00001	1 – Critical (50% x 100)	1 – Yes (50% x 100)	100
VIT00002	2 – High (50% x 70) *revised value	1 – Yes (50% x 100)	85 *revised value
VIT00003	3 – Medium (50% x 60)	2 – No (50% x 0)	30
VIT00004	4 – Low (50% x 40)	2 – No (50% x 0)	20
VIT00005	5 - None (50% x 20)	2 – No (50% x 0)	10

Shaik22 · ‎02-12-2024

Thanks for response!

But this is for vulnerable items(sn_vul_vulnerable_item). I'm asking risk score on Remediation Task(sn_vul_vulnerability) .

One or more vulnerable items group together called Remediation Task. On Remediation Task how risk score is calculated.

william_tran · ‎02-12-2024

Hi Shaik22,

Risk score on a Remediation Task is calculated via the 'Vulnerability Response Rollup Calculators', specifically the 'Remediation Task Rollup' calculator.

The default vulnerability rollup calculator takes the following metrics in mind;

Maximum Risk Score (Weight: 80)
Average Risk Score (Weight: 5)
Count of Vulnerable Items (Weight: 15)

For the count of VI's, it is assigned a 'Factor' based on the total number of Vulnerable Items in that Remediation Task.

In the Vulnerability rollup calculator example, the formula for determining the remediation task Risk Score is:

(Maximum risk score/100) * 80 + (Average risk score /100) * 5 + (factor * 15)

In your situation, if you have 5 Vulnerable Items with risk scores of 50, 75, 100, 80, 95.

The maximum risk score would be (100/100) * 80 = 80
The average risk score would be (80/100) * 5 = 4
- Note: 80 is derived from the sum of all VI risk scores, divided by the number of VIs (400/5).
The count of vulnerable items would be 0.2 * 15 = 3
Your Remediation Task Risk Score should be 80 + 4 + 3 = 87.

The documentation can be found at this link: https://docs.servicenow.com/bundle/washingtondc-security-management/page/product/vulnerability-respo...

Please mark as helpful if you found this response beneficial!