Business risk is calculated based on the severity of the vulnerability in relation to the business impact set on the asset or a related tag.
This value is set on the host under Assets in the main menu. Click edit on the asset and change the Business impact under the General Information tab.
This is how the calculation is done.
Business impact level and value conversion
The business impact level is translated into the following values.
Neutral: 2 (default if not changed manually)
Severity and value conversion
The severity level is translated into the following values.
Calculation of points
Calculation of points is done like this: Business impact * severity
- Business impact: medium (4)
- Severity: high (3)
- Calculation: 4 * 3 = 12
Business risk to percentage conversion
- 32 points = 100 %
- 0 points = 0 %
In other words, one (1) point equals 3,125.
- 12 points = 37,5
Percentage to overall business risk level conversion
76-100 %: critical
51-75 %: high
26-50 %: medium
1-25 %: low
- 37,5 = medium
Hierarchy for business impact
Hierarchy for business impact in relation to assets and tags.
- Business impact set on the asset have the highest priority.
- If no business impact is set on the asset the highest business impact set on related tags is used.