Fortinet black logo

Online Help

Home FortiCNP 22.3.a Online Help

Appendix D - Risk Score Algorithm

22.3.a
22.4.a
22.3.b
22.3.a
Copy Link
Copy Doc ID cf00dcb1-0886-11ed-bb32-fa163e15d75b:62492

Appendix D - Risk Score Algorithm

Introduction

Vulnerability is security findings that can be exploited by attackers and compromise the entire system resource. When the Common Vulnerability Scoring System (CVSS) standard is released, a vulnerability can be weighed and a numeric score is assigned to give a quantitative assessment, and this numeric score is also known as CVE score, ranged from 0 to 10.

While each resource may have multiple vulnerabilities, CVE scores can only be used to compare between different vulnerabilities. A systematic approach in summarizing the security risk based on all the vulnerability scores of one resource is developed by FortiCNP team.

For example, a vulnerability with a score of 10 is equally alarming as 10 vulnerabilities with a score of 1. The overall vulnerability score is calculated by summing up the CVE base scores of all vulnerabilities, and project the scores onto exponential axis with adjustable parameter.

Similarly, the same algorithm can be applied in Threat and Risk Management scores to give an overall score.

Vulnerability/Threat/Risk Management Score Algorithm

NewScore is calculation of a risk imposed by a Vulnerability, Risk Management, or Threat finding on a resource.

CVE Base Score can be the CVE base score provided by AWS Inspector. Configuration and Threat Finding base scores are based on severity level provided through AWS Security Hub. (Severity Level Low: 2.5, Medium: 5, High: 7.5, Critical: 10)

The param parameter is a medium value assigned to reflect the overall risk rating based on historical testing data.

ScoreSum is the sum of all new scores of all vulnerabilities.

The K value parameter is set at 100 to give the overall rating of the resource a range between 0 to 100 with 0 posing the least risk and 100 being the most risk, it is also an assigned medium value based on the historical testing data.

Overall Rating can be the overall Vulnerability, Threat, or Risk Management Scores.

Resource Risk Score

In consolidating all the security risk scores, a calculation not only sum up all vulnerabilities but give an overall risk assessment of the cloud resource is necessary.

Resource Risk Score is the overall risk score calculated based on the sum of Risk Management Scores, Threat Scores, and Vulnerability Scores of the cloud resource.

Resource Risk Score Algorithm

N[3] is the result of sorting of vulnerability, Threat and Configuration scores in descending order.

The result Risk Score is a sum of the three scores with each given different weight.

Previous
Next

Appendix D - Risk Score Algorithm

Introduction

Vulnerability is security findings that can be exploited by attackers and compromise the entire system resource. When the Common Vulnerability Scoring System (CVSS) standard is released, a vulnerability can be weighed and a numeric score is assigned to give a quantitative assessment, and this numeric score is also known as CVE score, ranged from 0 to 10.

While each resource may have multiple vulnerabilities, CVE scores can only be used to compare between different vulnerabilities. A systematic approach in summarizing the security risk based on all the vulnerability scores of one resource is developed by FortiCNP team.

For example, a vulnerability with a score of 10 is equally alarming as 10 vulnerabilities with a score of 1. The overall vulnerability score is calculated by summing up the CVE base scores of all vulnerabilities, and project the scores onto exponential axis with adjustable parameter.

Similarly, the same algorithm can be applied in Threat and Risk Management scores to give an overall score.

Vulnerability/Threat/Risk Management Score Algorithm

NewScore is calculation of a risk imposed by a Vulnerability, Risk Management, or Threat finding on a resource.

CVE Base Score can be the CVE base score provided by AWS Inspector. Configuration and Threat Finding base scores are based on severity level provided through AWS Security Hub. (Severity Level Low: 2.5, Medium: 5, High: 7.5, Critical: 10)

The param parameter is a medium value assigned to reflect the overall risk rating based on historical testing data.

ScoreSum is the sum of all new scores of all vulnerabilities.

The K value parameter is set at 100 to give the overall rating of the resource a range between 0 to 100 with 0 posing the least risk and 100 being the most risk, it is also an assigned medium value based on the historical testing data.

Overall Rating can be the overall Vulnerability, Threat, or Risk Management Scores.

Resource Risk Score

In consolidating all the security risk scores, a calculation not only sum up all vulnerabilities but give an overall risk assessment of the cloud resource is necessary.

Resource Risk Score is the overall risk score calculated based on the sum of Risk Management Scores, Threat Scores, and Vulnerability Scores of the cloud resource.

Resource Risk Score Algorithm

N[3] is the result of sorting of vulnerability, Threat and Configuration scores in descending order.

The result Risk Score is a sum of the three scores with each given different weight.

Previous
Next