# Risk Scores In cybersecurity, risk is more than just the number of findings. It’s the combination of findings, the threat landscape, and the value of the assets to your business. In the NetSPI Platform, you'll find your risk score presented in the following three ways to help maximize your coverage. - [Engagement risk score:](#engagement-risk-score) The Engagement Risk Score represents to severity of all the findings in your engagement. - [Asset risk score:](#asset-risk-score) The risk of any given asset is determined by the number and severity of findings associated with that asset. - [Overall Client Risk Score:](#overallclient-risk-score) The overall risk to your organization, as measured by your vulnerability score, remediation score, and industry score. See the sections below for details. ## Risk score methodology NetSPI Platform risk scores are assessed on a scale from 0 to 1000. The higher the score, the higher your risk, where 0 means no risk and 1000 means the maximum risk. The number and severity of findings are at the root of all risk scores. A finding may be deemed “critical” in the sense that it’s easy to exploit, but if the asset that is impacted by that finding/exploit is not essential to business continuity or data privacy, then the risk of that asset should be considered minimal. The NetSPI Platform provides three overall scores ([Engagement Risk Score](#engagement-risk-score), [Asset Risk Score](#asset-risk-score), and [Client Risk Score](#overallclient-risk-score)), each of which is derived from differing percentage values of three underlying risk scores: vulnerability risk score, remediation score, and industry score. The underlying risk scores can most clearly be seen on the *Overview* tab for any of your engagements, when you expand the Risk Score card to display them. ![Engagement Risk score](/static/risk_score_engagement_example.png) The table below provides a brief description of how the underlying risk scores are derived. | Underlying risk score | Risk score derivation | | :--- | :--- | | Vulnerability score | The vulnerability score is based on a formula, applied over all of your findings across engagements and modules, and is represented as a value between 1 and 1000. | | Remediation score | The remediation score is based on a formula involving a percentage of overdue open findings and non-overdue open findings, asset, or engagement and is represented as a number between 0 and 1,000. | | Industry score | The industry score based on a percentage of the vulnerability score and a percentage of the remediation score, and then compared across the industry as a percentile. | ### Engagement risk score The engagement risk score can be seen in the [Engagements table](/ptaas/engagements/) (PTaaS -> Engagements (Engagements table)) and the [Engagement details page](/ptaas/engagements/ptaas-engagement-details/#ptaas-engagement-details). ![Engagement risk score](/static/risk_engagement_example.png) The Engagement risk score is determined by the severity weight of all the findings in the engagement. Each severity level has a weight associated with it. Finding severity levels are set to one of the following: - Urgent - Critical - High - Medium - Low - None - Informational - Ignore !!! The Engagement Risk Score is one of three overall risk scores, all three of which are calculated based on three separate underlying risk scores: a vulnerability score, a remediation score, and an industry score, where a different weight is applied to each given overall risk score. See [How the overall risk scores are calculated](#risk-score-methodology). !!! ### Asset risk score Asset risk scores are determined by the severity level of the findings on that asset. This risk score is available across all modules (PTaaS, EASM, BAS, and CAASM) and can be seen in the following places: - [Assets table](/inventory-assets/working-with-assets/#working-with-assets) (Inventory -> Assets (Assets table)) - [Asset details page](/inventory-assets/working-with-assets/#asset-details-page) (select an asset row -> Assets details includes the vulnerability) - [Home page -> Top Vulnerable Asset](/general-navigation/home-page/#netspi-platform-home-page) ![Asset risk score](/static/asset_risk_example.png) !!! The Asset Risk Score is one of three overall risk scores, all three of which are calculated based on three separate underlying risk scores: a vulnerability score, a remediation score, and an industry score, where a different weight is applied to each given overall risk score. See [How the overall risk scores are calculated](#risk-score-methodology). !!! ### Overall/Client risk score The [overall risk score](/dashboard-details-pages/risk-overview-dashboard/#1-risk-score) can be seen on the [Risk Overview dashboard](/dashboard-details-pages/risk-overview-dashboard/) (Dashboards -> Risk Overview dashboard) in the Risk Score chart. ![Risk Overview dashboard](/static/risk_overall_client_example.png) The Risk Overview dashboard also breaks down risk into the following categories: - [Risk Overview](/dashboard-details-pages/risk-overview-dashboard/#2-risk-overview), which displays a high level breakdown of the types of risk discovered - The [top 10 highest risk engagements](/dashboard-details-pages/risk-overview-dashboard/#3-top-10-highest-risk-engagements) for your organization - Findings associated with risk scores, grouped by [asset and engagement](/dashboard-details-pages/risk-overview-dashboard/#4-risks-by-assets-and-engagement) !!! The Overall Risk Score is one of three overall risk scores, all three of which are calculated based on three separate underlying risk scores: a vulnerability score, a remediation score, and an industry score, where a different weight is applied to each given overall risk score. See [How the overall risk scores are calculated](#risk-score-methodology). !!! ## How do I use the risk score? Use the three overall risk scores to asses the true risk to your business so you can prioritize remediation and allocation of your resources. The risk scores also provide security leaders a quantitative metric to prioritize, measure, and track cybersecurity risk over time.