Why should you calculate risk

When prioritizing vulnerabilities, relying on CVSS alone is simply not enough. It’s crucial to understand that vulnerabilities are forever subjective - exploiting the same exact vulnerability will have a different impact on different environments, and as such, should be treated differently. Having this in mind, organizations ought to prioritize vulnerabilities according to the specific risk they pose to their environment, and the Vulcan platform automatically calculates this risk for you.

Vulcan's risk algorithm

Vulcan’s risk algorithm intelligently incorporates different contextual attributes to produce a dynamic risk score for each vulnerability instance in your environment. 

Our risk score is dynamic, personalized, and customizable. The platform allows you to create your own risk model by setting weights for the different components of the algorithm by your organization's own risk focus and risk appetite.

Vulcan's risk algorithm also applies uniformly across different types of vulnerabilities, whether they are infrastructure, AppSec, or container vulnerabilities. They are all rated on a single scale of 0-100.
 

How does Vulcan calculate risk for a vulnerability?

In Vulcan, a vulnerability instance's risk score is a calculation of 4 factors:

  • Technical severity – CVSS or other scores as provided by the scanning vendor.

  • Threats – Exploits, malware, OWASP Top 10 and other threat intelligence in the wild.

  • Tags – The impact (High, medium, low) of tags on the vulnerable assets. This determines how impactful a breach of the vulnerability will be to your business.

The risk model takes into account these 3 factors and calculates, according to the weights set by you in accordance with your organization's risk focus and risk appetite, your personalized risk score for this vulnerability instance.

How does Vulcan calculate risk for an entire vulnerability, Business Group, or entire organization?

In order to measure progress across Business Groups and see which Business Groups have more risk than the others, Vulcan automatically correlates the individual vulnerability's scores into a single, consolidated risk score that represents the relative amount of risk each Business Group has. The same also applies to the amount of risk in the entire organization.

The aggregation is done with a smart function, which sums up all of your individual vulnerability instances and maps them to a logarithmic trendline.

Risk levels

To allow at-a-glance understanding of how much risk each group represents, Vulcan groups risk scores into buckets, very similarly to CVSS v3.0:

  • Critical - 90-100

  • High - 70-89

  • Medium - 40-69

  • Low - 1-39

  • None - 0

Each risk level is color-coded: red for Critical, orange for High, yellow for Medium and grey for Low.

Customizing risk model weights in the Settings page

In the Administration tab of the Settings page, use the table to set different weights for the attributes that define the risk algorithm:

  • Technical severity – CVSS or other scores as provided by the scanning vendor 

  • Threats – Exploits, malware, OWASP Top 10 and other threat intelligence in the wild.

  • Tags – The impact (High, medium, low) of tags on the vulnerable assets

Values must add up to one.

Did this answer your question?