How does QualysGuard calculate Security Risk and what are the criteria used?

Document created by kb-author-1 on May 19, 2010Last modified by eschamp on Oct 28, 2011
Version 5Show Document

Issue:

How does QualysGuard calculate Security Risk in vulnerability reports and what are the criteria used?

Solution:

Regardless of the sorting criterion, QualysGuard first computes the security risk at the host level, and then averages the hosts. You can setup your account in 2 ways to compute the security risk at the host level: take the highest severity or compute an average.

Here is an example of how it is calculated:

Host: 216.190.209.35

severities: 3+2+1

highest: 3

average: 6/3=2

Host: 216.190.29.42

severities: 2+2+2+2+1

highest: 2

average: 9/5=1.8

Host: 216.190.29.43

severities: 2+2+2+2+3

highest: 3

average: 11/5=2.2

Host:  216.190.209.56

severities: 2+2+1+5+3

highest: 5

average: 13/5=2.6

Host:  216.190.209.58

severities: 2+2+5+3

highest: 5

average: 12/4=3

Host:  216.190.209.59

severities: 2+5+3

highest: 5

average: 10/3=3.3

Summary report average security risk:

With average host setting:

2+1.8+2.2+2.6+3+3.3=14.9

14.9/6=2.48

With max host setting:

3+2+3+5+5+5=23

23/6=3.8 !!!

To change the settings for security risk, navigate to  Reports > Setup > Security Risk and change the setting.

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

ID: 0001.010.613.000

2 people found this helpful