Risk score calculation example for Vulnerability Response

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk Score Calculation Example for Vulnerability Response

    This content provides guidance on calculating risk scores for vulnerabilities within your organization's systems, using specific formulas and weightings for various vulnerability characteristics. This enables effective prioritization of vulnerabilities based on their severity and exploitability.

    Show full answer Show less

    Key Features

    • Risk Rule Calculator Configuration: The calculator uses fields such as vulnerability severity and exploit existence, each with assigned weightages.
    • Weightage Breakdown: Severity levels are categorized with specific weightings, ranging from Critical (100) to None (20), while exploit existence is determined as Yes (100) or No (0).
    • Risk Score Formula: The formula used to calculate the risk score is: Risk Score = (W(severity) FV(severity) + W(exploit exists) FV(exploit exists)) / 100.

    Key Outcomes

    By applying the risk score calculations, organizations can identify and prioritize vulnerabilities as follows:

    • Example Scores: For vulnerable items, scores are calculated based on their severity and exploitability, yielding scores from 10 (lowest) to 100 (highest).
    • Revised Weightage Impact: Adjusting the weightage for vulnerability severity (e.g., changing High from 80 to 70) affects the resultant risk scores, demonstrating the importance of accurate configuration.

    This structured approach helps ServiceNow customers address vulnerabilities effectively and optimize risk management strategies.

    You can determine the risk score calculators to generate risk scores that use the vulnerability and asset data unique to your organization.

    Example of determining risk rule calculators scores

    The following example demonstrates how scores for risk rule calculators are determined.

    Assume that a risk rule calculator is configured with the fields in this table:
    Field Weightage Weight breakdown
    Vulnerability.Severity 50

    Default: 20

    1 - Critical: 100

    2 - High: 80

    3 - Medium: 60

    4 - Low: 40

    5 - None: 20
    Vulnerability.Exploit Exists 50

    Default: 50

    Yes: 100

    No: 0
    Also, assume that the vulnerable items that are shown in this table are present in the system:
    ID Vulnerability severity Vulnerability exploit exists
    VIT00001 1 - Critical 1 - Yes
    VIT00002 2 - High 1 - Yes
    VIT00003 3 - Medium 2 – No
    VIT00004 4 - Low 2 – No
    VIT00005 5 - None 2 – No
    The risk score calculation for the vulnerable items is calculated based on the formula:

    Risk Score = (W(severity) * FV (severity). + W(exploitexists) * FV(exploit exists)) / 100

    where W is the weight and FV is the weight percentage of the field value.

    The resulting risk score for these vulnerable items is described in this table:

    ID Vulnerability severity (50%) Vulnerability exploit exists (50%) Resultant risk score
    VIT00001 1 – Critical (50% x 100) 1 – Yes (50% x 100) 100
    VIT00002 2 – High (50% x 80) 1 – Yes (50% x 100) 90
    VIT00003 3 – Medium (50% x 60) 2 – No (50% x 0) 30
    VIT00004 4 – Low (50% x 40) 2 – No (50% x 0) 20
    VIT00005 5 - None (50% x 20) 2 – No (50% x 0) 10
    Note:
    For VIT00005, because the value of the severity is empty, the default weightage is applied.

    If the weightage percentage is changed for one of the field values, see this table for the results:

    Field Weightage Weight breakdown
    Vulnerability.Severity 50
    • Default: 20
    • 1 - Critical: 100
    • 2 - High: 70

      *revised value

    • 3 - Medium: 60
    • 4 - Low: 40
    Vulnerability.Exploit Exists 50
    • Default: 50
    • Yes: 100
    • No: 0

    The risk score for the vulnerable items after reapplying the calculator is shown in this table:

    ID Vulnerability severity (50%) Vulnerability exploit exists (50%) Resultant risk score
    VIT00001 1 – Critical (50% x 100) 1 – Yes (50% x 100) 100
    VIT00002 2 – High (50% x 70)

    *revised value

    		 1 – Yes (50% x 100) 85

    *revised value
    VIT00003 3 – Medium (50% x 60) 2 – No (50% x 0) 30
    VIT00004 4 – Low (50% x 40) 2 – No (50% x 0) 20
    VIT00005 5 - None (50% x 20) 2 – No (50% x 0) 10