How does QualysGuard calculate Security Risk in vulnerability reports and what are the criteria used?
Regardless of the sorting criterion, QualysGuard first computes the security risk at the host level, and then averages the hosts. You can setup your account in 2 ways to compute the security risk at the host level: take the highest severity or compute an average.
Here is an example of how it is calculated:
Summary report average security risk:
With average host setting:
With max host setting:
To change the settings for security risk, navigate to Reports > Setup > Security Risk and change the setting.
Qualys Support KnowledgeBase