Video Screencast Help

Risk Score Calculation in CCS

Created: 05 Oct 2012 | 1 comment

We are using CCS 10.5.1 and need to know exactly how the risk score for an asset is calculated.  

Also, how does the value 'Unknown' effect the risk score and how can we change the unknown values to either pass or fail.  

Thank you for your help!

Comments 1 CommentJump to latest comment

Sujit Manolikar's picture


Simply put, Asset Risk Score is the weighted average of all the failed tests across all providers on an asset. Below example, should make it clear.

Asset A1 has two data providers configured viz. CCS Standards Manager, CCS Vulnerability Mananger with below configuration and evaluation data.

Provider                                      Test Name           Risk Score            Provider Weight

CCS Standards Manager                 Check1                  7                               1

CCS Vulnerability Manager               Vuln1                    5                               0.8

The Risk Score of the A1 would be calculated as follows,

         A1 Risk Score = ((7 * 1) + (5 * 0.8)) / (1 + 0.8) = 6.11

As mentioned earlier, only 'Failed' results are consider for calculating risk score of an asset so 'Unknown' does not have any effect on the asset risk score. In CCS Standards Manager, 'Unknown' result can be changed to 'Pass/Fail' by modifying the check definition. For SCAP benchmarks, 'Unknown' results can be changed to 'Pass/Fail' using SCAP Exceptions.

Hope this helps.