The asset risk is based on:

Security Gap

• the sum of all defects’ cost and coverage gaps.

• Defects cost

  • The cost is based on severity per security control and the mitigation status. The cost can be configured separately per each security control and severity according to your definitions.

  • Mitigation status - when a defect's status is moved to in progress, a 50% discount is applied to the defect’s cost.

• Coverage gap - when an asset wasn't scanned as defined in the coverage policy (see policy), the asset gets a coverage gap penalty that increases the security gap

Impact Deduction

• Each impact class determines a different level of the asset’s business criticality.

• Defining the asset class can be done using an automated policy (see policy) or by specifying it manually in the inventory (see inventory).

• The formula to calculate the impact’s deduction value is: Security gap X ((100-Impact)/100)

• The impact's value itself is based on:

  • The class which determines the minimum/maximum thresholds

  • A specific set of parameters such as risk factors (appear also as tags), number of commits in repositories, number of hits in hosts, etc. The mentioned parameters determine the asset’s position within the impact class range.

Risk Calculation

Summarizing the above, below is the high-level risk formula:

Risk =

• Security gap

  • Sum of (defect cost - mitigation discount)

  • + coverage gap

• - Impact deduction

The asset's severity is determined according to the position of the Risk in the risk scale