Calculating TruRisk Score

The calculation of TruRisk Score involves various parameters like, Asset Criticality, Qualys Detection Score (QDS), and Qualys Vulnerability Score (QVS). This section informs you about TruRisk Score calculation using these various parameters.

Asset Risk Score is renamed to TruRisk Score.

The TruRisk Score calculation is also applicable for Qualys CSAM application.

Understanding Asset Criticality Score

It is calculated based on multiple tags assigned to the asset with Asset Criticality Scores (ACS) defined. The highest score is considered for the ACS if multiple tags are assigned to the asset.

For example, if you assign 6 tags to your asset, the tag with the highest value between 1-5 will be considered the contributing factor while calculating the TruRisk Score.

For more information about configuring tags, see Configure Tags

Understanding the Qualys Detection Score

The Qualys Detection Score (QDS) is assigned to vulnerabilities detected by Qualys. QDS has a range from 1 to 100 and with four severity levels:

Critical: 90-100
High: 70-89
Medium: 40-69
Low: 1-39

QDS is derived from the following factors:

Vulnerability technical details (CVSS score): The highest Qualys Vulnerability Score (QVS) for CVEs is associated with the QID.
Vulnerability temporal details: Monitors external threat intelligence details for a vulnerability and collects data like Exploit Code Maturity (ECM), malware, active threat actors, and if a threat is trending.

If multiple CVEs contribute to a QID, the CVE with the highest score is considered for the QDS calculation.

Understanding the Qualys Vulnerability Score for CVEs

Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS and external threat indicators like active exploitation, exploit code maturity, CISA known exploitable, and many more.

Understanding TruRisk Score

TruRisk Score is the overall risk score assigned to the asset based on the following contributing factors:

Asset Criticality Score (ACS)
Qualys Detection Score (QDS) scores for each QID level
Auto-assigned weighting factor (w) for each criticality level of QIDs

TruRisk Formula for Managed Asset

The TruRisk formula for managed asset, includes the number of vulnerabilities; the asset with greater vulnerabilities gets a higher score. The TruRisk formula for managed asset has the following features:

The weighing factor (w) is based on the severity of the vulnerability.
The maximum risk score restricts to 1000.
The new formula lists the External Tags.
In case of an external asset, the entire TruRisk Score value is multiplied with 1.2

TruRisk Score = MIN( ACS * (w_c*Avg(QDS_c)*np.power(Count(QDS_c), 1/100) +

w_h*Avg(QDS_h)*np.power(Count(QDS_h), 1/100)+

w_m*Avg(QDS_m)*np.power(Count(QDS_m), 1/100)+

w_l*Avg(QDS_l)*np.power(Count(QDS_l), 1/100)),1000)

where,

ACS - Asset Criticality Score.

w - weighing factor for each severity level of QIDs [critical(c), high(h), medium(m), low(l)]

Avg(QDS) - Average of Qualys Detection Score for each severity level of QIDs

np.power - value of np.power is constant to 0.01

TruRisk Formula for Externally Exposed Unmanaged Assets

TruRisk Score = MIN( (Asset exposure) * ACS * (w_c* Avg(QVS_c) * np.power(Count(QVS_c), 1/100) +w_h* Avg(QVS_h) * np.power(Count(QVS_h), 1/100) +w_m* Avg(QVS_m) * np.power(Count(QVS_m), 1/100)+ w_l* Avg(QVS_l) * np.power(Count(QVS_l), 1/100), 1000)