Risk score calculation example for Vulnerability Response

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Risk score calculation example for Vulnerability Response

This example explains how ServiceNow Vulnerability Response calculates risk scores for vulnerable items using configurable risk rule calculators. The calculation leverages vulnerability and asset data unique to your organization to prioritize and manage risks effectively.

Show full answer Show less

Key Features

Risk Rule Calculator Configuration: Scores are based on weighted fields such as Vulnerability Severity and Vulnerability Exploit Exists, with customizable weight percentages for each field and its values.
Score Calculation Formula: The risk score is computed as the weighted sum of the field values’ percentages, divided by 100:
Risk Score = (W_severity × FV_severity + W_{exploitExists} × FV_{exploitExists}) / 100
Adjustable Weightage: Default and custom weight percentages can be assigned to severity levels and exploit existence, allowing you to fine-tune risk prioritization.

Key Outcomes

Each vulnerable item receives a numeric risk score reflecting its severity and exploit status, enabling targeted vulnerability management.
Example scores show how critical vulnerabilities with exploits score highest (up to 100), while low severity or non-exploited vulnerabilities score lower.
Adjusting weight percentages (e.g., reducing the score for High severity from 80 to 70) directly impacts calculated risk scores, providing flexibility in risk evaluation.
The default weightage applies when a field value is missing, ensuring consistent scoring.

You can determine the risk score calculators to generate risk scores that use the vulnerability and asset data unique to your organization.

Example of determining risk rule calculators scores

The following example demonstrates how scores for risk rule calculators are determined.

Assume that a risk rule calculator is configured with the fields in this table:


Field	Weightage	Weight breakdown
Vulnerability.Severity	50	Default: 20 1 - Critical: 100 2 - High: 80 3 - Medium: 60 4 - Low: 40 5 - None: 20
Vulnerability.Exploit Exists	50	Default: 50 Yes: 100 No: 0

Also, assume that the vulnerable items that are shown in this table are present in the system:


ID	Vulnerability severity	Vulnerability exploit exists
VIT00001	1 - Critical	1 - Yes
VIT00002	2 - High	1 - Yes
VIT00003	3 - Medium	2 – No
VIT00004	4 - Low	2 – No
VIT00005	5 - None	2 – No

The risk score calculation for the vulnerable items is calculated based on the formula:

Risk Score = (W(severity) * FV (severity). + W(exploitexists) * FV(exploit exists)) / 100

where W is the weight and FV is the weight percentage of the field value.

The resulting risk score for these vulnerable items is described in this table:


ID	Vulnerability severity (50%)	Vulnerability exploit exists (50%)	Resultant risk score
VIT00001	1 – Critical (50% x 100)	1 – Yes (50% x 100)	100
VIT00002	2 – High (50% x 80)	1 – Yes (50% x 100)	90
VIT00003	3 – Medium (50% x 60)	2 – No (50% x 0)	30
VIT00004	4 – Low (50% x 40)	2 – No (50% x 0)	20
VIT00005	5 - None (50% x 20)	2 – No (50% x 0)	10

Note:

For VIT00005, because the value of the severity is empty, the default weightage is applied.

If the weightage percentage is changed for one of the field values, see this table for the results:


Field	Weightage	Weight breakdown
Vulnerability.Severity	50	Default: 20 1 - Critical: 100 2 - High: 70 *revised value 3 - Medium: 60 4 - Low: 40
Vulnerability.Exploit Exists	50	Default: 50 Yes: 100 No: 0

The risk score for the vulnerable items after reapplying the calculator is shown in this table:


ID	Vulnerability severity (50%)	Vulnerability exploit exists (50%)	Resultant risk score
VIT00001	1 – Critical (50% x 100)	1 – Yes (50% x 100)	100
VIT00002	2 – High (50% x 70) *revised value	1 – Yes (50% x 100)	85 *revised value
VIT00003	3 – Medium (50% x 60)	2 – No (50% x 0)	30
VIT00004	4 – Low (50% x 40)	2 – No (50% x 0)	20
VIT00005	5 - None (50% x 20)	2 – No (50% x 0)	10