How is the overall business risk value calculated?

Business risk is calculated based on the severity of the vulnerability in relation to the business impact set on the asset or a related tag.

This value is set on the host under Assets in the main menu. Click edit on the asset and change the Business impact under the General Information tab. 

This is how the calculation is done.

Business impact level and value conversion
The business impact level is translated into the following values.
High: 8
Medium: 4
Neutral: 2 (default if not changed manually)
Low: 1

Severity and value conversion
The severity level is translated into the following values.
Critical: 4
High: 3
Medium: 2
Low: 1

Calculation of points
Calculation of points is done like this: Business impact * severity

Example:

  • Business impact: medium (4)
  • Severity: high (3)
  • Calculation: 4 * 3 = 12

Business risk to percentage conversion

  • 32 points = 100 %
  • 0 points = 0 %

In other words, one (1) point equals 3,125.

Example:

  • 12 points = 37,5

Percentage to overall business risk level conversion
76-100 %: critical 
51-75 %: high
26-50 %: medium
1-25 %: low

Example:

  • 37,5 = medium

Hierarchy for business impact
Hierarchy for business impact in relation to assets and tags.

  • Business impact set on the asset have the highest priority.
  • If no business impact is set on the asset the highest business impact set on related tags is used.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.