Asset Risk Score
Enso Standalone prioritizes assets mitigation according to the asset's importance, related vulnerabilities and other risk factors. In this article we explain how the scoring calculation works.
The asset risk is based on:
Security Gap
the sum of all defects’ cost and coverage gaps.
Defects cost
The cost is based on severity per security control and the mitigation status. The cost can be configured separately per each security control and severity according to your definitions.
Mitigation status - when a defect's status is moved to in progress, a 50% discount is applied to the defect’s cost.
Coverage gap - when an asset wasn't scanned as defined in the coverage policy (see policy), the asset gets a coverage gap penalty that increases the security gap
Impact Deduction
Each impact class determines a different level of the asset’s business criticality.
The formula to calculate the impact’s deduction value is: Security gap X ((100-Impact)/100)
The impact's value itself is based on:
The class which determines the minimum/maximum thresholds
A specific set of parameters such as risk factors (appear also as tags), number of commits in repositories, number of hits in hosts, etc. The mentioned parameters determine the asset’s position within the impact class range.
Risk Calculation
Summarizing the above, below is the high-level risk formula:
Risk =
Security gap
Sum of (defect cost - mitigation discount)
+ coverage gap
- Impact deduction
The asset's severity is determined according to the position of the Risk in the risk scale
Last updated