22.2.a

Appendix D - Risk Score Algorithm

Introduction

Vulnerability is security findings that can be exploited by attackers and compromise the entire system resource. When the Common Vulnerability Scoring System (CVSS) standard is released, a vulnerability can be weighed and a numeric score is assigned to give a quantitative assessment, and this numeric score is also known as CVE score, ranged from 0 to 10.

While each resource may have multiple vulnerabilities, CVE scores can only be used to compare between different vulnerabilities. A systematic approach in summarizing the security risk based on all the vulnerability scores of one resource is developed by FortiCNP team.

For example, a vulnerability with a score of 10 is equally alarming as 10 vulnerabilities with a score of 1. A calculation not only sum up all vulnerabilities but give an overall assessment of the total risk is necessary. In FortiCNP, the overall security risk score is calculated by summing up the CVE base scores of all vulnerabilities, and project the scores onto exponential axis with adjustable parameter.

Risk Score Algorithm

The NewScore gives a new score rating for the CVE base score. The ScoreSum is the sum of all new scores of all vulnerabilities. The K value parameter is set at 100 to give the overall rating of the resource a range between 0 to 100 with 0 posing the least risk and 100 being the most risk.

Appendix D - Risk Score Algorithm

Introduction

Vulnerability is security findings that can be exploited by attackers and compromise the entire system resource. When the Common Vulnerability Scoring System (CVSS) standard is released, a vulnerability can be weighed and a numeric score is assigned to give a quantitative assessment, and this numeric score is also known as CVE score, ranged from 0 to 10.

While each resource may have multiple vulnerabilities, CVE scores can only be used to compare between different vulnerabilities. A systematic approach in summarizing the security risk based on all the vulnerability scores of one resource is developed by FortiCNP team.

For example, a vulnerability with a score of 10 is equally alarming as 10 vulnerabilities with a score of 1. A calculation not only sum up all vulnerabilities but give an overall assessment of the total risk is necessary. In FortiCNP, the overall security risk score is calculated by summing up the CVE base scores of all vulnerabilities, and project the scores onto exponential axis with adjustable parameter.

Risk Score Algorithm

The NewScore gives a new score rating for the CVE base score. The ScoreSum is the sum of all new scores of all vulnerabilities. The K value parameter is set at 100 to give the overall rating of the resource a range between 0 to 100 with 0 posing the least risk and 100 being the most risk.