Calculating Asset Risk Score

The calculation of Asset Risk Score involves various parameters like, Asset Criticality, Qualys Detection Score (QDS), and Qualys Vulnerability Score (QVS). This section informs you about ARS calculation using these various parameters.

Understanding Asset Criticality Score

It is calculated based on multiple tags assigned to the asset with Asset Criticality Scores (ACS) defined. The highest score is considered for the ACS if multiple tags are assigned to the asset.

For example, if you have assigned 6 tags to your asset, the tag with the highest value between 1-5 will be considered as the contributing factor while calculating the Asset Risk Score (ARS).

For more information about configuring tags, see Configure Tags

Understanding the Qualys Detection Score

The Qualys Detection Score (QDS) is assigned to vulnerabilities detected by Qualys. QDS has a range from 1 to 100 and with four severity levels:

- Critical: 90-100

- High: 70-89

- Medium: 40-69

- Low: 1-39

QDS is derived from the following factors:

a) Vulnerability technical details (CVSS score): The highest Qualys Vulnerability Score (QVS) for CVEs is associated with the QID.

b) Vulnerability temporal details: Monitors external threat intelligence details for a vulnerability and collect data like Exploit Code Maturity (ECM), malware, active threat actors, and if a threat is trending.

c) Vulnerability remediation details (CIDs): Applies mitigation controls to mitigate the risk from the vulnerability. Vulnerabilities that have applied mitigation controls via Qualys compliance modules will have reduced risk scores.

Note: If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation.

Understanding the Qualys Vulnerability Score for CVEs

Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable and many more.

Qualys offers various mitigation controls (CIDs) that are applied to the QVS. Applying all the CIDs to a QID will reduce the QVS. If no CID is applied the QVS will be equal to the QDS.

The following formula is used to calculate the QDS:

QDS = QVS - CID

Understanding Asset Risk Score

Asset Risk Score (ARS) is the overall risk score assigned to the asset based on the following contributing factors:

a) Asset Criticality Score (ACS)

b) Qualys Detection Score (QDS) scores for each QID level

c) Auto-assigned weighting factor (w) for each criticality level of QIDs

The following formula is used to calculate the ARS:

ARS = ACS * {wc(Avg(QDc)) + wh(Avg(QDSh)) + wm(Avg(QDSm)) + wl(Avg(QDSl))}

where,

ACS - Asset Criticality Score.

w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]

Avg(QDS) - Average of Qualys risk score for each severity level of QIDs on that asset

Click on the risk score for a particular asset to view the detailed calculation.

Asset Risk Score Calculation.

Related Topics

Average ARS filter in Multi-Grouped Table widget