Risk configuration

IBM® Security Risk Manager provides a risk scoring framework that uses a consistent and common risk definition across your organization's security risk areas.

Risk scoring framework

The risk engine computes risk score of every asset by using the Asset Risk, Threat, and Vulnerability components based on the assigned weight for various factors of risk components. The following formula is used to evaluate risk score.

Risk = Asset Criticality x Threat x Vulnerability

The following table describes the building blocks of the risk engine.

Asset Risk
Asset value Relative importance of asset to the business.	Threats Events that can pose potential risk to the business.	Resistance (vulnerability and enforcement risks) Controls that must be in place to mitigate the identified risks.
Risk factors Aspects of confidentiality, integrity, and availability Classification level Asset exposure that indicates whether the asset is internet facing or internal. Compliance level	Risk factors Threat events Policy violations Offenses Indicators of Compromise (IOCs)	Risk factors CVE scores of identified vulnerabilities Enforcement controls; for example, encryption or monitoring status Asset vulnerabilities and exploitability scores

Use the common risk configuration framework to assign weight for various risk factors that are sourced from different products for computing score at the asset level. The entities such as databases, applications, assets, IP addresses, and hostnames are collectively referred to as assets in Risk Manager. You can customize your risk profile to assess risk based on how important each risk factor for your organization. Risk Manager provides a set of factors for each of the following risk vectors to assign weights for evaluating the risk of an asset.

Threat - Threat distribution risk
Resistance - Vulnerability distribution risk
Resistance - Enforcement risk
Asset criticality - Asset criticality