In this article you will find:

  1. Vulnerability instance risk score calculation

  2. Single vulnerability risk calculation (impacts 1 or more assets)

  3. Single asset risk calculation (affected by 1 or more vulnerabilities)

  4. Business-group level risk calculation

  5. Organization level risk score calculation (multiple assets, multiple vulnerabilities)

  6. Risk levels


Vulnerability instance risk score

The individual risk associated with a single vulnerability on a single asset is defined as vulnerability instance risk, sometimes also referred to as 'atomic risk' or 'link risk'.

All risk calculations, SLAs and Playbooks are based on the vulnerability instance risk.

The risk is displayed next to the asset:


Risk calculation for a vulnerability-instance

In Vulcan, a vulnerability instance's risk score is a calculation of 4 factors:

  • Technical severity – CVSS or other scores as provided by the scanning vendor.
    > Scale - 1 to 10

  • Threats – Exploits, malware, OWASP Top 10 and other threat intelligence in the wild.
    > Scale - can only be 0 (zero) or 10
    > 10 will be give in one of those scenarios:
    - The vulnerability has known exploits or is defined as weaponized.
    - The vulnerability's CVE is linked to a CWE listed in OWASP's top ten threats.
    > 0 (zero) will be given in all other cases.

  • Tags – The impact (High, medium, low) of tags on the vulnerable assets. This determines how impactful a breach of the vulnerability will be to your business. When multiple tags are assigned to the same asset - the tag with the highest impact will be used.
    > Scale - 1 to 10
    1 - tags with low impact
    5 - tags with undefined impact
    5 - tags with normal impact
    10 - tags with high impact

To calculate the risk for a vulnerability-instance Vulcan will use the weights defined in the settings accordingly.

For example:

> This vulnerability

> This asset

> Which has this tag

> And this weight definition

The resulting calculation will be

  • Technical severity = 9.3 (the CVSS score)

  • Threats = 10 (has exploits)

  • Tags = 10 (has high impact tag)

  • 9.3 * 0.35 + 10 * 0.35 + 10 * 0.35 = 9.755

Resulting score is multiplied by 10


Single vulnerability risk calculation

General

The risk for the vulnerability is a slightly elevated score compared with the average of the individual assets affected by the vulnerability. The aggregation is done with a formula which sums up all of your individual vulnerability instances and maps them to a logarithmic trendline.

Scenario #1
One asset for a one vulnerability

Scenario #2

Two assets with high tag impacts, same vulnerability

Asset A with high impact tag: vulnerability-instance score = 85

Asset B with high impact tag: vulnerability-instance score = 85

Risk(85, 85) = 89

Scenario #3

Two assets with different tag impacts, same vulnerability

Asset A with high impact tag: vulnerability-instance score = 85

Asset B with low impact tag: vulnerability-instance score = 75

Risk(85, 75) = 85

Scenario #4

Fifteen assets with different tag impacts, same vulnerability

Asset 1-14 with high impact tag: vulnerability-instance score = 84

Asset 15 with low impact tag: vulnerability-instance score = 69

Risk(84,84,84,84,84,84,84,84,84,84,84,84,84,84,69) = 87


Single asset risk calculation

General

The risk for the an asset will be the maximum vulnerability-instance risk between all of the vulnerabilities impacting the asset.

Example #1 - asset with 6 vulnerabilities is marked with risk of 44

The top vulnerability-instance risk is scored at 44, the rest are lower

Example #2 - asset with 18 vulnerabilities is marked with risk score 99

The top vulnerability-instance risk is scored at 99, the rest are lower (96 and under)


Business-group level risk score calculation

General

The risk a business group is calculated as the aggregated risk for all individual vulnerability-instances included in the group, excluding the zero risk vulnerabilities.

Example #1 - business group has 5 vulnerabilities, with 6 vulnerability instances

Showing 5 vulnerabilities

Showing 6 vulnerability-instances

Calculation is based on aggregation of each individual vulnerability-instance.

Important - the calculation is NOT based on the vulnerability risks.

In this photo the aggregation will use the numbers on the right marking the vulnerability-instance risk scores, and NOT the ones on the left showing the vulnerability aggregate score.

Risk(91,86,86,86,51,51) = 80

Example #2 - business group has 2 vulnerabilities, with 14 vulnerability instances

Calculation is based on aggregation of each individual vulnerability-instance.

Vulnerability #1 details:

Risks for vulnerability instances is - 88, 58, 58, 88, 88, 88, 88

Vulnerability #2 details:

Risks for vulnerability instances is - 0, 0, 0, 0, 0, 0, 0

This means the vulnerability will be excluded from the aggregated calculation.

Total aggregated risk is

Risk(58,58,88,88,88,88,88,0,0,0,0,0,0,0) = Risk(58, 58, 88, 88, 88, 88, 88) = 84

Example #3 - business group has 727 vulnerabilities, with 765 vulnerability instances

Individual vulnerability-instance score chart

656 vulnerability instances have a risk score > 0.

109 have vulnerability instance score of 0.

Risk(765 vulnerability instances) = Risk( 656 vulnerability instances>0 ) = 49


Organization level risk score calculation

General

The risk for the entire organization is calculated in the same way as business group risk, while taking into account all vulnerability-instances.

Risk levels

To allow at-a-glance understanding of how much risk each group represents, Vulcan groups risk scores into buckets, very similarly to CVSS v3.0:

  • Critical - 90-100

  • High - 70-89

  • Medium - 40-69

  • Low - 1-39

  • None - 0

Each risk level is color-coded: red for Critical, orange for High, yellow for Medium and grey for Low.


Did this answer your question?