![Holm Security Yellow.png]](https://support.holmsecurity.com/hs-fs/hubfs/Holm%20Security%20logos/Holm%20Security%20Yellow.png?height=40&name=Holm%20Security%20Yellow.png){kind=small}
How do the account risk score and asset risk score work?
The Account Risk Score consolidates risk across all customer assets into a single 1–100 figure for clear trend tracking and like-for-like comparisons between accounts. It is optimized to reflect real exposure while remaining easy to interpret.
Risk Score for Asset Groups – Customer Perspective
What number am I seeing?
All assets (Account Risk Score): A single 1–100 number for the entire account, calculated from all assets using rank-based geometric weighting so the highest risks drive the result, with an anti-dilution safeguard.
Subset / Tag Risk Score: A 1–100 number for the assets you’ve selected (for example, one or several tags), computed as the 99th percentile (P99) of per-asset risk in that selection – effectively focusing on the top ~1% of assets by risk.
Trends over time (for subsets): In each period (weekly, monthly, etc.), each asset contributes its period-high (MAX) risk; the subset score is P99 of those values.
Common scenarios
- One asset vs multiple assets
- One asset: you see that asset’s own 1–100 risk.
- Multiple assets: you see P99 of the assets in your selection – a view of the upper tail, not an average.
- Five tags together vs one tag
- One tag: P99 on assets with that tag.
- Five tags: P99 on all assets in the combined. The result can be higher or lower than any single tag because it reflects the top end of the combined set, not an average of tag scores.
All assets is X, five selected tags is Y – why?
They use different datasets and combination methods:- All assets: rank-weighted account method.
- Selected tags: P99 on the selected assets.
How can I understand what’s building up the score?
Within any view, the highest-risk assets dominate the number (account: via high weights; subset: by sitting at or above P99). Changing the selection changes which assets contribute; if the score rises, the added assets include higher-risk items, and vice versa. In time charts, each period reflects period-high (MAX) risks per asset, then P99 across them, high-impact spikes remain visible.
Accuracy note
The P99-based subset score tracks the account method with <4% error across representative datasets and is suitable for subset-level reporting, while the account score remains the whole-account benchmark.
In-depth description
Assets are ranked from highest to lowest risk, then combined using position-based geometric weighting so items at the top exert substantially more influence than those in the long tail. This ensures a small number of serious issues drive the score, while lower-risk assets still have a diminishing but non-zero effect. The final value is normalized to 1–100, with tunable parameters used only to calibrate sensitivity, not to obscure results.
To prevent large fleets of very low- or zero-risk assets from diluting the outcome, the model includes a safeguard: when “safe” assets exceed ~30% of the total, only a magnitude-based number of the highest, risk-bearing assets influence the score. This keeps the metric focused on exposures that matter operationally and financially. The score is monotonic with remediation: fixing issues always reduces the score, with top risk fixes producing the most visible improvements. This gives stakeholders an auditable, outcome-oriented indicator for prioritization and progress reporting.
The Subset (Tag) Risk Score provides a focused view of risk for logical asset groupings (customer-defined tags) on the same 1–100 scale as the account score. For each tag, we compute the 99th percentile (P99) of per-asset risk using PostgreSQL’s native percentile aggregation. This captures the upper tail of risk in that subset, emphasizing the highest-risk assets while remaining efficient for frequent recalculation in volatile tag memberships.
We use P99 because the full account algorithm (position-weighted combination) is too intensive to run repeatedly across many changing subsets, whereas database-level percentile aggregation offers linear performance and operational simplicity. In validation against the account-wide method, the P99-based tag score shows <4% mean absolute relative error across representative historical datasets. It is therefore an acceptable replacement for the account algorithm in subset-level reporting and dashboards, while the account-level score remains the formal benchmark for whole-account risk.
The time-aggregated Subset (Tag) Risk Score lets customers visualize how risk evolves within any logical asset grouping across a chosen horizon (for example, weekly or monthly), on the same 1–100 scale as other scores for easy comparison and trend analysis.
Methodology
For each asset, we roll up its per-asset risk values within each time bucket using PostgreSQL’s MAX aggregation to obtain one value per asset per period that reflects the highest observed risk. For a given tag and time bucket, we then compute P99 of those per-asset, per-period values to form the subset score for that period.
Rationale
Using MAX ensures significant risk spikes within a period are captured rather than averaged away, aligning with the goal of highlighting consequential risks. This approach is operationally simple, consistent with practices elsewhere in the platform, and scales well across many tags and time resolutions. It does not change the core subset methodology: P99 still combines assets within each period; MAX only defines the per-asset input for that period.
Scope and interpretation
Each period’s value represents the worst risk posture observed for that subset in that interval. As high-risk conditions are remediated, subsequent periods show improvement on the same 1–100 scale, while short-lived but significant exposures remain visible in historical trends.