How does QualysGuard calculate Security Risk and what are the criteria used?

Document created by kb-author-1 Employee on May 19, 2010Last modified by eschamp on Oct 28, 2011
Version 5Show Document
  • View in full screen mode

Issue:

How does QualysGuard calculate Security Risk in vulnerability reports and what are the criteria used?

 


Solution:

Regardless of the sorting criterion, QualysGuard first computes the security risk at the host level, and then averages the hosts. You can setup your account in 2 ways to compute the security risk at the host level: take the highest severity or compute an average.

 

Here is an example of how it is calculated:

 

Host: 216.190.209.35

severities: 3+2+1

highest: 3

average: 6/3=2

 

Host: 216.190.29.42

severities: 2+2+2+2+1

highest: 2

average: 9/5=1.8

 

Host: 216.190.29.43

severities: 2+2+2+2+3

highest: 3

average: 11/5=2.2

 

Host:  216.190.209.56

severities: 2+2+1+5+3

highest: 5

average: 13/5=2.6

 

Host:  216.190.209.58

severities: 2+2+5+3

highest: 5

average: 12/4=3

 

Host:  216.190.209.59

severities: 2+5+3

highest: 5

average: 10/3=3.3

 

Summary report average security risk:

 

With average host setting:

 

2+1.8+2.2+2.6+3+3.3=14.9

14.9/6=2.48

 

With max host setting:

 

3+2+3+5+5+5=23

23/6=3.8 !!!

 

To change the settings for security risk, navigate to  Reports > Setup > Security Risk and change the setting.

 

 

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

 

ID: 0001.010.613.000

Attachments

    Outcomes