Risk Exposure Score calculation

Arctic Wolf® calculates the Risk Exposure Score of an organization based on the number of risks, scan results, and asset criticality. We use Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) to determine the exploitability of a risk.

Note: This calculation is for the new Risk Exposure Score. For the legacy risk score calculation, see Legacy Risk Exposure Score calculation.
Arctic Wolf calculates the Risk Exposure Score using these formulas.
Note: Assets without any risks are also included in the calculation.

Risk Exposure Score

The Risk Exposure Score represents the overall risk level of your organization. It takes the asset exposure score and adds a value if you have any exploited risk in your environment. The Risk Exposure Score is calculated using this formula:

Where:
  • res is the Risk Exposure Score.
  • aes is the asset exposure score. For more information, see Asset exposure score.
  • eri is the exploited risk indicator. This value is 1 if any exploited risk exists for your organization and 0 if no exploited risks exist.

Asset exposure score

The asset exposure score adds all of the unweighted asset scores together and applies the asset criticality to the asset score. The asset criticality makes sure that your most important assets are valued highly in the final score, while standard assets are valued normally. The asset exposure score is calculated using this formula:

Where:
  • aes is the asset exposure score.
  • as is the asset score. For more information, see Unweighted asset score.
  • ac is the asset criticality. Each criticality value has this numerical value assigned to it:
    • Critical — 2
    • High — 1.5
    • Anything else — 1
    For more information, see Edit asset criticality.

Asset score

The asset score takes the score of an asset and applies a constant value to standardize the score and prevent changes from significantly affecting your score. The asset score is calculated using this formula:

Where:
  • as is the asset score.
  • uas is the unweighted asset score. For more information, see Unweighted asset score.
  • K is 250. This value reduces sensitivity. Scores decrease more responsively and increase less quickly.

Unweighted asset score

The unweighted asset score calculates a score for an asset based on each risk that it has associated with it. Risks with a critical or high weight are counted highly, while risks with a low weight are ignored. The unweighted asset score is calculated using this formula:

Where:
  • uas is the unweighted asset score.
  • rs is the risk score. For more information, see View risk details.
  • rw is the risk weight. The risk weight corresponds to the Common Vulnerability Scoring System (CVSS) score of the risk:
    • CVSS score is greater than or equal to 7 — 50
    • CVSS score is between 4 and 7 — 10
    • CVSS score is less than or equal to 4 — 0