Zurich Security Management

Risk score calculation example for Vulnerability Response

Save as PDF

Share this page

Save as PDF

Share this page

You can determine the risk score calculators to generate risk scores that use the vulnerability and asset data unique to your organization.

The following example demonstrates how scores for risk rule calculators are determined.

Assume that a risk rule calculator is configured with the fields in this table:


Field	Weightage	Weight breakdown
Vulnerability.Severity	50	Default: 20 1 - Critical: 100 2 - High: 80 3 - Medium: 60 4 - Low: 40 5 - None: 20
Vulnerability.Exploit Exists	50	Default: 50 Yes: 100 No: 0

Also, assume that the vulnerable items that are shown in this table are present in the system:


ID	Vulnerability severity	Vulnerability exploit exists
VIT00001	1 - Critical	1 - Yes
VIT00002	2 - High	1 - Yes
VIT00003	3 - Medium	2 – No
VIT00004	4 - Low	2 – No
VIT00005	5 - None	2 – No

The risk score calculation for the vulnerable items is calculated based on the formula:

Risk Score = (W(severity) * FV (severity). + W(exploitexists) * FV(exploit exists)) / 100

where W is the weight and FV is the weight percentage of the field value.

The resulting risk score for these vulnerable items is described in this table:


ID	Vulnerability severity (50%)	Vulnerability exploit exists (50%)	Resultant risk score
VIT00001	1 – Critical (50% x 100)	1 – Yes (50% x 100)	100
VIT00002	2 – High (50% x 80)	1 – Yes (50% x 100)	90
VIT00003	3 – Medium (50% x 60)	2 – No (50% x 0)	30
VIT00004	4 – Low (50% x 40)	2 – No (50% x 0)	20
VIT00005	5 - None (50% x 20)	2 – No (50% x 0)	10

Note: For VIT00005, because the value of the severity is empty, the default weightage is applied.

If the weightage percentage is changed for one of the field values, see this table for the results:


Field	Weightage	Weight breakdown
Vulnerability.Severity	50	Default: 20 1 - Critical: 100 2 - High: 70 *revised value 3 - Medium: 60 4 - Low: 40
Vulnerability.Exploit Exists	50	Default: 50 Yes: 100 No: 0

The risk score for the vulnerable items after reapplying the calculator is shown in this table:


ID	Vulnerability severity (50%)	Vulnerability exploit exists (50%)	Resultant risk score
VIT00001	1 – Critical (50% x 100)	1 – Yes (50% x 100)	100
VIT00002	2 – High (50% x 70) *revised value	1 – Yes (50% x 100)	85 *revised value
VIT00003	3 – Medium (50% x 60)	2 – No (50% x 0)	30
VIT00004	4 – Low (50% x 40)	2 – No (50% x 0)	20
VIT00005	5 - None (50% x 20)	2 – No (50% x 0)	10