Risk score calculation example for Vulnerability Response

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk Score Calculation Example for Vulnerability Response

    This document outlines how to calculate risk scores for vulnerabilities using configured risk rule calculators in ServiceNow, leveraging unique vulnerability and asset data from your organization. Understanding this calculation helps in prioritizing vulnerabilities effectively based on their potential impact and exploitability.

    Show full answer Show less

    Key Features

    • Weightage Configuration: Each vulnerability is assessed based on two fields: Severity and Exploit Exists, each contributing equally (50%) to the overall risk score.
    • Severity Ratings: The severity levels range from Critical to None, with assigned weight values for each level.
    • Exploit Availability: This indicates whether an exploit exists for the vulnerability, impacting the risk score directly.

    Key Outcomes

    The risk score is calculated using the formula:

    Risk Score = (W(severity) FV(severity) + W(exploit exists) FV(exploit exists)) / 100

    Based on the example provided, the calculated risk scores for various vulnerabilities help prioritize remediation efforts:

    • VIT00001: 100 (Critical vulnerability with exploit)
    • VIT00002: 90 (High vulnerability with exploit)
    • VIT00003: 30 (Medium vulnerability without exploit)
    • VIT00004: 20 (Low vulnerability without exploit)
    • VIT00005: 10 (No severity assigned)

    Adjusting the weightage for specific fields can change the risk scores, enabling more accurate prioritization as organizational risk assessments evolve.

    You can determine the risk score calculators to generate risk scores that use the vulnerability and asset data unique to your organization.

    Example of determining risk rule calculators scores

    The following example demonstrates how scores for risk rule calculators are determined.

    Assume that a risk rule calculator is configured with the fields in this table:
    Field Weightage Weight breakdown
    Vulnerability.Severity 50

    Default: 20

    1 - Critical: 100

    2 - High: 80

    3 - Medium: 60

    4 - Low: 40

    5 - None: 20
    Vulnerability.Exploit Exists 50

    Default: 50

    Yes: 100

    No: 0
    Also, assume that the vulnerable items that are shown in this table are present in the system:
    ID Vulnerability severity Vulnerability exploit exists
    VIT00001 1 - Critical 1 - Yes
    VIT00002 2 - High 1 - Yes
    VIT00003 3 - Medium 2 – No
    VIT00004 4 - Low 2 – No
    VIT00005 5 - None 2 – No
    The risk score calculation for the vulnerable items is calculated based on the formula:

    Risk Score = (W(severity) * FV (severity). + W(exploitexists) * FV(exploit exists)) / 100

    where W is the weight and FV is the weight percentage of the field value.

    The resulting risk score for these vulnerable items is described in this table:

    ID Vulnerability severity (50%) Vulnerability exploit exists (50%) Resultant risk score
    VIT00001 1 – Critical (50% x 100) 1 – Yes (50% x 100) 100
    VIT00002 2 – High (50% x 80) 1 – Yes (50% x 100) 90
    VIT00003 3 – Medium (50% x 60) 2 – No (50% x 0) 30
    VIT00004 4 – Low (50% x 40) 2 – No (50% x 0) 20
    VIT00005 5 - None (50% x 20) 2 – No (50% x 0) 10
    Note:
    For VIT00005, because the value of the severity is empty, the default weightage is applied.

    If the weightage percentage is changed for one of the field values, see this table for the results:

    Field Weightage Weight breakdown
    Vulnerability.Severity 50
    • Default: 20
    • 1 - Critical: 100
    • 2 - High: 70

      *revised value

    • 3 - Medium: 60
    • 4 - Low: 40
    Vulnerability.Exploit Exists 50
    • Default: 50
    • Yes: 100
    • No: 0

    The risk score for the vulnerable items after reapplying the calculator is shown in this table:

    ID Vulnerability severity (50%) Vulnerability exploit exists (50%) Resultant risk score
    VIT00001 1 – Critical (50% x 100) 1 – Yes (50% x 100) 100
    VIT00002 2 – High (50% x 70)

    *revised value

    		 1 – Yes (50% x 100) 85

    *revised value
    VIT00003 3 – Medium (50% x 60) 2 – No (50% x 0) 30
    VIT00004 4 – Low (50% x 40) 2 – No (50% x 0) 20
    VIT00005 5 - None (50% x 20) 2 – No (50% x 0) 10
    Note:
    In case of empty values, use it to compute a default. This will give the right results in cases where calculation is incorrect.