#
Risk Scores
In cybersecurity, risk is more than just the number of findings. It’s the combination of findings, the threat landscape, and the value of the assets to your business.
In the NetSPI Platform, you'll find your risk score presented in the following three ways to help maximize your coverage.
Engagement risk score: The Engagement Risk Score represents to severity of all the findings in your engagement.Asset risk score: The risk of any given asset is determined by the number and severity of findings associated with that asset.Overall Client Risk Score: The overall risk to your organization, as measured by your vulnerability score, remediation score, and industry score.
See the sections below for details.
#
Risk score methodology
NetSPI Platform risk scores are assessed on a scale from 0 to 1000. The higher the score, the higher your risk, where 0 means no risk and 1000 means the maximum risk.
The number and severity of findings are at the root of all risk scores. A finding may be deemed “critical” in the sense that it’s easy to exploit, but if the asset that is impacted by that finding/exploit is not essential to business continuity or data privacy, then the risk of that asset should be considered minimal.
The NetSPI Platform provides three overall scores (
The underlying risk scores can most clearly be seen on the Overview tab for any of your engagements, when you expand the Risk Score card to display them.
The table below provides a brief description of how the underlying risk scores are derived.
#
Engagement risk score
The engagement risk score can be seen in the Engagements table (PTaaS -> Engagements (Engagements table)) and the Engagement details page.
The Engagement risk score is determined by the severity weight of all the findings in the engagement. Each severity level has a weight associated with it.
Finding severity levels are set to one of the following:
- Urgent
- Critical
- High
- Medium
- Low
- None
- Informational
- Ignore
The Engagement Risk Score is one of three overall risk scores, all three of which are calculated based on three
separate underlying risk scores: a vulnerability score, a remediation score, and an industry score, where a different
weight is applied to each given overall risk score.
See
#
Asset risk score
Asset risk scores are determined by the severity level of the findings on that asset.
This risk score is available across all modules (PTaaS, EASM, BAS, and CAASM) and can be seen in the following places:
- Assets table (Inventory -> Assets (Assets table))
- Asset details page (select an asset row -> Assets details includes the vulnerability)
- Home page -> Top Vulnerable Asset
The Asset Risk Score is one of three overall risk scores, all three of which are calculated based on three
separate underlying risk scores: a vulnerability score, a remediation score, and an industry score, where a different
weight is applied to each given overall risk score.
See
#
Overall/Client risk score
The overall risk score can be seen on the Risk Overview dashboard (Dashboards -> Risk Overview dashboard) in the Risk Score chart.
The Risk Overview dashboard also breaks down risk into the following categories:
Risk Overview, which displays a high level breakdown of the types of risk discovered
The top 10 highest risk engagements for your organization
Findings associated with risk scores, grouped by asset and engagement
The Overall Risk Score is one of three overall risk scores, all three of which are calculated based on three
separate underlying risk scores: a vulnerability score, a remediation score, and an industry score, where a different
weight is applied to each given overall risk score.
See
#
How do I use the risk score?
Use the three overall risk scores to asses the true risk to your business so you can prioritize remediation and allocation of your resources.
The risk scores also provide security leaders a quantitative metric to prioritize, measure, and track cybersecurity risk over time.