Device Risk Score Computation
Risk computation algorithms are proprietary and this section presents only the knobs that user is able to tweak to change the score.
Risk score components
The following factors affect risk score of a device
- Device Importance (also called Asset Weight)
- Count and CVS Score for non-remediated vulnerabilities found for that device
- Severity and Frequency of Security incidents triggering with that device as source or destination
- Severity and Frequency of Other (performance, availability and change) incidents triggering on that device
Overall Score (0-100) is a weighted average of 3 components – Vulnerability Score, Security Incident Score and Other Incident Score, computed as follows.
User controllable constants
- Device Importance – this can be set in CMDB > Device > Summary. You can select multiple devices and set the Importance in one shot.
Values are
- Mission Critical – 10
- Critical – 7
- Important – 4
- Normal – 1
- Relative weights of Vulnerabilities, Security and Other incidents to the risk score. The default values of the constants are defined in phoenix_config.txt:
- vul_weight = 0.6
- security_inci_weight = 0.3
- security_inci_weight = 0.1
- Maximum number of high-severity events that a mission-critical host can tolerate for each of the 3 score components. These default thresholds are defined in ‘phoenix_config.txt:
- vul_threshold = 1
- security_inci_threshold = 3
- other_inci_threshold = 6
Time varying Risk score
Risk scores are computed for each day. Current risk score is a exponentially weighted average of today’s risk and yesterday’s risk.
The algorithm also reduces the score for earlier vulnerabilities that are now patched. Such vulnerabilities have a weight of 0.7 while new and old but existing vulnerabilities have weight 1