Risk score calculation

Arctic Wolf® calculates the risk score of an organization based on the Common Vulnerability Scoring System version 3 (CVSSv3). CVSSv3 provides an open framework for communicating the impacts of network vulnerabilities and an objective metric for prioritizing vulnerabilities so that the highest risk vulnerabilities are remediated first.

Arctic Wolf calculates risk scores using these criteria:

  1. Each unmitigated vulnerability found in the network is scored independently.

    The CVSSv3 standard includes several metrics to calculate the base score of a vulnerability. For example:

    • Access vector — The accessibility of the exploitable vulnerability, including local access, adjacent access, and network access.
    • Access complexity — The complexity of the attack required to exploit the vulnerability when the targeted system is accessible.
    • Authentication — The number of times the attacker must authenticate for a targeted system to exploit the vulnerability.
    • Confidentiality impact — The impact on data confidentiality when a vulnerability is successfully exploited. Confidentiality refers to how data is accessed and disclosed, including preventing access to authorized users and disclosing data to unauthorized users.
    • Integrity impact — The impact on data integrity when a vulnerability is successfully exploited. Integrity refers to trustworthiness and the data accuracy.
    • Availability impact — The availability of data when a vulnerability is successfully exploited. Availability refers to the accessibility of the data and resource.
    Note: A CVSSv3 score may not be available for some vulnerabilities. Where no CVSSv3 score exists, vulnerabilities are scored using CVSSv2. For risks without any CVSS score, Arctic Wolf assigns a score based on our assessment of the threat potential.

    For more information about CVSS base score calculations, see NIST CVSS Calculator.

  2. This weighted-average formula is applied to the vulnerability scores:

    The weighted average risk score formula

    Where:

    • x = 10, the weight for Medium severity risks (scores 4–6.9)
    • y = 50, the weight for High severity risks (scores 7–8.9)
    • z = 50, the weight for Critical severity risks (scores 9–10)
    • a = Medium risk score values
    • b = High risk score values
    • c = Critical risk score values
  3. The result of the weighted average formula determines a final score for the entire network.
Tip: NIST provides a National Vulnerability Database (NVD) that the United States Department of Homeland Security (DHS) sponsors. The NVD contains Common Vulnerabilities and Exposures (CVEs) updated in real time. Each CVE provides details about a known network vulnerability, including a CVSSv3 or CVSSv2 score.