Risk score calculation example for Vulnerability Response

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Risk score calculation example for Vulnerability Response

    This example demonstrates how ServiceNow Vulnerability Response calculates risk scores using customizable risk rule calculators based on vulnerability and asset data specific to your organization. It illustrates how different field values and their weightages combine to produce an overall risk score for each vulnerable item.

    Show full answer Show less

    Risk Score Calculation Method

    The risk score is computed using the formula:

    Risk Score = (Weight of Severity × Field Value of Severity) + (Weight of Exploit Exists × Field Value of Exploit Exists) / 100

    where weights and field values are percentages assigned to specific vulnerability attributes.

    Example Configuration and Results

    • Fields and weightages: Vulnerability Severity (50%), Vulnerability Exploit Exists (50%)
    • Severity weight breakdown: Critical=100%, High=80%, Medium=60%, Low=40%, None/Default=20%
    • Exploit Exists weight breakdown: Yes=100%, No=0%, Default=50%

    Using the above setup, example vulnerabilities with different severities and exploit statuses receive corresponding risk scores. For instance, a critical vulnerability with an exploit gets a maximum score of 100, while a low severity without an exploit scores 20.

    Impact of Adjusting Weightages

    Changing the weight breakdown—for example, lowering the High severity from 80% to 70%—automatically updates the risk scores for applicable vulnerabilities. This flexibility lets you tailor risk calculations to reflect your organizational priorities and risk tolerance.

    What This Enables You to Do

    • Customize risk scoring logic based on vulnerability severity and exploit presence.
    • Quantify and prioritize vulnerabilities consistently using a transparent, formula-based approach.
    • Adjust weightages dynamically to align risk scores with evolving security policies or threat landscapes.

    By understanding and applying this calculation method, you can ensure that your vulnerability risk scores accurately reflect your organization's unique context and support informed remediation decisions.

    You can determine the risk score calculators to generate risk scores that use the vulnerability and asset data unique to your organization.

    Example of determining risk rule calculators scores

    The following example demonstrates how scores for risk rule calculators are determined.

    Assume that a risk rule calculator is configured with the fields in this table:
    Field Weightage Weight breakdown
    Vulnerability.Severity 50

    Default: 20

    1 - Critical: 100

    2 - High: 80

    3 - Medium: 60

    4 - Low: 40

    5 - None: 20
    Vulnerability.Exploit Exists 50

    Default: 50

    Yes: 100

    No: 0
    Also, assume that the vulnerable items that are shown in this table are present in the system:
    ID Vulnerability severity Vulnerability exploit exists
    VIT00001 1 - Critical 1 - Yes
    VIT00002 2 - High 1 - Yes
    VIT00003 3 - Medium 2 – No
    VIT00004 4 - Low 2 – No
    VIT00005 5 - None 2 – No
    The risk score calculation for the vulnerable items is calculated based on the formula:

    Risk Score = (W(severity) * FV (severity). + W(exploitexists) * FV(exploit exists)) / 100

    where W is the weight and FV is the weight percentage of the field value.

    The resulting risk score for these vulnerable items is described in this table:

    ID Vulnerability severity (50%) Vulnerability exploit exists (50%) Resultant risk score
    VIT00001 1 – Critical (50% x 100) 1 – Yes (50% x 100) 100
    VIT00002 2 – High (50% x 80) 1 – Yes (50% x 100) 90
    VIT00003 3 – Medium (50% x 60) 2 – No (50% x 0) 30
    VIT00004 4 – Low (50% x 40) 2 – No (50% x 0) 20
    VIT00005 5 - None (50% x 20) 2 – No (50% x 0) 10
    Note:
    For VIT00005, because the value of the severity is empty, the default weightage is applied.

    If the weightage percentage is changed for one of the field values, see this table for the results:

    Field Weightage Weight breakdown
    Vulnerability.Severity 50
    • Default: 20
    • 1 - Critical: 100
    • 2 - High: 70

      *revised value

    • 3 - Medium: 60
    • 4 - Low: 40
    Vulnerability.Exploit Exists 50
    • Default: 50
    • Yes: 100
    • No: 0

    The risk score for the vulnerable items after reapplying the calculator is shown in this table:

    ID Vulnerability severity (50%) Vulnerability exploit exists (50%) Resultant risk score
    VIT00001 1 – Critical (50% x 100) 1 – Yes (50% x 100) 100
    VIT00002 2 – High (50% x 70)

    *revised value

    		 1 – Yes (50% x 100) 85

    *revised value
    VIT00003 3 – Medium (50% x 60) 2 – No (50% x 0) 30
    VIT00004 4 – Low (50% x 40) 2 – No (50% x 0) 20
    VIT00005 5 - None (50% x 20) 2 – No (50% x 0) 10