Asset Risk Score
Enso Standalone prioritizes assets mitigation according to the asset's importance, related vulnerabilities and other risk factors. In this article we explain how the scoring calculation works.
The asset risk is based on:
- the sum of all defects’ cost and coverage gaps.
- Defects cost
- The cost is based on severity per security control and the mitigation status. The cost can be configured separately per each security control and severity according to your definitions.
- Mitigation status - when a defect's status is moved to in progress, a 50% discount is applied to the defect’s cost.
- Each impact class determines a different level of the asset’s business criticality.
- The formula to calculate the impact’s deduction value is: Security gap X ((100-Impact)/100)
- The impact's value itself is based on:
- The class which determines the minimum/maximum thresholds
- A specific set of parameters such as risk factors (appear also as tags), number of commits in repositories, number of hits in hosts, etc. The mentioned parameters determine the asset’s position within the impact class range.
Summarizing the above, below is the high-level risk formula:
- Security gap
- Sum of (defect cost - mitigation discount)
- + coverage gap
- - Impact deduction
The asset's severity is determined according to the position of the Risk in the risk scale