A cyber risk score provides an objective framework for the evaluation of a security posture. By converting these evaluations into an easy-to-grasp representation of qualitative cyber risk scoring, organizations can better understand how safe their assets are and where they need to improve.
ThreatWorx Attenu8 platform offers a way to prioritize and assign a risk score for each vulnerability that is impacting an asset. The risk score is a numeric value between 0 and 100 (100 being the highest risk) assigned to each instance of vulnerability that is determined to be impacting an asset.
The risk score is a weighted average of several external and internal factors. Some of the external factors could be exploitability, level of exploit or weaponization, social temperature and dark web chatter of a given vulnerability (CVE). Internal factors are typically related to the attributes of the asset such as network location and distance from internet. User defined factors such as business criticality of the asset are also considered to calculate the risk score.
The general formula for risk score for a given vulnerabilty impacting an asset can be thought of as below:
R = ∑ ( wi × Fi ) + ∑ ( wj × Fj ) ⁄ ( ∑ wi + ∑ wj )
Where wi are the weights assigned to internal factors Fi and wj are the weights assigned to external factors Fj.
Risk score is calculated (or recalculated) each time there is a change detected by the platform for any of the external or internal factors of the vulnerability impact i.e. change in the vulnerability graph or change in the asset attributes.
Asset risk is calculated as an aggregate of risk scores for all vulnerabilities impacting it. Risk scores are aggregated across any selection of assets to display a singular risk score for that selection. i.e. aggregate risk of all ‘Windows’ assets or aggregate risk of all assets having the ‘crown-jewels’ tag.
ThreatWorx Attenu8 platform risk scores provide perspective on the true risk of vulnerabilities as they are found to impact assets and help in prioritizing and improving the security posture of organizations.