Security incident risk score calculations

The risk score is calculated as an arithmetic mean. It represents the risk based on priority, type of security incident, and number of sources that triggered a failed reputation score on an indicator. The risk score aids in prioritizing security incident work for analysts.

The Set priority with category and services and Set priority with observables security incident calculators are used to calculate a risk score for a security incident. Also, the following business rules trigger automatic calculation of risk scores:
  • Calculate Severity
  • Update risk score
  • Update SI risk score
Note: The risk calculator available in the base system depends on your Security Operations pricing tier.
When you look at a list of security incidents in the base system, notice the Risk score column.
Figure 1. Security Incidents
Security Incidents and risk scores
The risk score is calculated using weights defined in Risk score configuration.
Figure 2. Risk score configuration
Risk score weights

For example, a security incident has a Business impact set to 2-High and a Priority set to 3-Moderate. The respective weights in the Risk Score Weights table are looked up and calculated thus:

Security Incident Business Impact with a value of 2 = a weight of 60.

Security Incident Priority with a value of 3 = a weight of 40.

60 + 40/2 = a risk score of 50.

The position of the security incident in the security incident list is then reordered based on its updated risk score.

If, in the example above, the Business impact or Priority of the security incident are changed, the risk score is recalculated, and the changes are reflected in the work notes.
Figure 3. Work notes
Work notes after risk score calculation
Work notes are updated when the following fields are changed (causing the risk score to be updated):
  • Business impact on the Security Incident form
  • Priority on the Security Incident form
  • Severity on the Security Incident form (hidden by default)
  • Business impact on the Affected Users related list
  • Business impact on the Affected Services related list
  • Business impact on vulnerabilities on the Vulnerable items related list
Work notes are updated in the following situations:
  • When an association between affected users and a security incident is created or modified.
  • When an association between affected services and a security incident is created or modified.
  • When an association between vulnerable items and a security incident is created or modified.

Work notes are also updated whenever Update All Risk Scores and Clear All Risk Scores on the Risk Score Weights form are clicked.