The Risk Score Adjustment setting allows you to customize your assets’ risk score calculations according to the business context of the asset. For example, if you have set the Very High criticality level for assets belonging to your organization’s senior executives, you can configure the risk score adjustment so that those assets will have higher risk scores than they would have otherwise. You can specify modifiers for your user-applied criticality levels that will affect the asset risk score calculations for assets with those levels set.
Note that you must enable Risk Score Adjustment for the criticality levels to be taken into account in calculating the risk score; it is not set by default.
Risk Score Adjustment must be manually enabled
To enable and configure Risk Score Adjustment:
Constraints:
The default values are:
Adjust the multipliers for the criticality levels
The Risk Strategy and Risk Score Adjustment are independent factors that both affect the risk score.
To calculate the risk score for an individual asset, Nexposeuses the algorithm corresponding to the selected risk strategy. If Risk Score Adjustment is set and the asset has a criticality tag applied, the application then multiplies the risk score determined by the risk strategy by the modifier specified for that criticality tag.
Both the original and context-driven risk scores are displayed for an individual asset
The risk score for a site or asset group is based upon the scores for the assets in that site or group. The calculation used to determine the risk for the entire site or group depends on the risk strategy. Note that even though it is possible to apply criticality through an asset group, the criticality actually gets applied to each asset and the total risk score for the group is calculated based upon the individual asset risk scores.
The risk score for a site or asset-group is based on the context-driven risk scores of the assets in it.
If Risk Score Adjustment is enabled, nearly every risk score you see in your Nexposeinstallation will be the context-driven risk score that takes into account the risk strategy and the risk score adjustment. The one exception is the Original risk score available on the page for a selected asset. The Original risk score takes into account the risk strategy but not the risk score adjustment. Note that the values displayed are rounded to the nearest whole number, but the calculations are performed on more specific values. Therefore, the context-driven risk score shown may not be the exact product of the displayed original risk score and the multiplier.
When you first apply a criticality tag to an asset, the context-driven risk score on the page for that asset should update very quickly. There will be a slight delay in recalculating the risk scores for any sites or asset groups that include that asset.