Risk rating
The Risk rating for an application is a function of the highest severity of active issues in the application, and the business impact defined for the application. Higher numbers indicate increased risk.
Severity and Business impact are each assigned numerical values, and multiplied
together to produce a risk value. This value is converted to the Risk
rating.
[Risk rating value] = [Severity of highest active issue] x [Business impact of application]Severity values
The severity of the highest active issue in an application is converted to a
numerical value following this table:
| Severity | Value |
|---|---|
| Critical | 5 |
| High | 4 |
| Medium | 3 |
| Low | 2 |
| Informational | 1 |
Note: Active issues are issues whose status is New
(deprecated), Open, In Progress, or Reopened. You can edit this in
Issue status.
Business impact
The business impact assigned to the application is converted to a numerical value
following this table:
| Business impact | Value |
|---|---|
| Critical | 5 |
| High | 4 |
| Medium | 3 |
| Low | 2 |
| Unspecified | 0 |
Note: The default Business impact setting is Medium (3). You
can change this to a different value, and also set it to Undefined.
When Business impact is Unspecified, Risk rating will be
Unknown.
To define business impact:
- On the main toolbar, click Applications, to open application view.
- Locate the application you want to edit, and click
on the right hand side of its row. - Use the Business impact combo-box to select the value you want: Critical, High, Medium, or Low.
Risk rating calculation
| Value | Risk rating |
|---|---|
| 20-25 | Critical |
| 15-19 | High |
| 9-14 | Medium |
| 1-8 | Low |
| 0 | Unknown |
Note: If an application contains at least one scan, even
though there are no active issues, its Risk rating is set as
Low.