Severity calculators

Severity calculators are available to help you calculate a security incident's severity based on pre-defined formulas.

The base system ships with the following sample severity calculators.

Table 1. Severity calculators in the base system
Severity calculator name Purpose Type of calculation used
Business Impacted If the affected item in the security incident is associated with the Sales, Finance, and HR business units, the Severity field is elevated to 1 - High. This severity calculator defines its selection criteria using a simple condition builder.
Critical service affected If the affected item in the security incident is associated with a highly critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. This severity calculator defines its selection criteria using an advanced condition.
Critical service changes If the affected item in the security incident is associated with a most critical or somewhat critical business service, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. This severity calculator defines its selection criteria using an advanced condition. If the security incident meets the conditions, a script runs to define what levels the fields should be elevated to.
Multi Attack Vectors If the affected item in the security incident is associated with web, email, and impersonation attack vectors, the Risk, Impact, Priority, and Severity fields are elevated as defined by the calculator. This severity calculator defines its selection criteria using a simple condition builder.

When you create a new security incident, the Risk, Impact, Priority, and Severity fields contain default values. When you save the incident, a business rule automatically validates the information in the security incident against conditions defined in each of your active severity calculators. The calculators are validated one at a time, in the order defined by the Order field in each calculator. If information in the security incident matches the conditions defined in one of the calculators, the severity field values are updated according to the rules set up in the calculator.

For example, assume you create a security incident for an affected CI and the CI is highly critical. When the security incident is saved, the CI information is compared to the conditions defined in the severity calculators. When the security incident is validated against the Critical service affected severity calculator, the severity fields are automatically updated, and a message about the update appears at the top of the security incident.
Figure 1. Updated severity based on calculator
For example, the message could say something like, "Severity Calculation applied: Critical services changes; Risk: High; impact: 1-High; Priority: 1-Critical; Severity: 1-High."
Use these severity calculators as is or edit them to more closely meet the needs of your business. For example, if you want to identify web and email threats that are specific to the Finance business unit, make these changes to the conditions of the Multi Attack Vectors calculator:
  • [Attack Vector] [contains] [Web]
  • [Attack Vector] [contains] [Email]
  • [Business Unit] [contains] [Finance]

You can also update the severity values in an existing security incident at any time by opening the record and clicking the Calculate Severity related link.