Documentation Index

Fetch the complete documentation index at: https://help.nucleussec.com/llms.txt

Use this file to discover all available pages before exploring further.

Weighting Risk

  • 8 minute(s) read
Prev Next

This article explains how to adjust the Nucleus risk score to your company's unique risk profile and context.

Risk Weightings

Nucleus provides the ability to weight the risk attributes that contribute to the risk score on findings, assets, asset groups and projects according to your company's own risk context. Setting these weightings are an important step that should be completed during onboarding onto the platform. Once set, they play a crucial role in how risk scores are calculated, and will directly contribute to how your organization prioritizes remediation activities.

How do risk attribute weights work?

Assets and findings both contain base risk scores which are used together to calculate the risk score of a finding on an asset. The asset base risk score is comprised of the values of the four risk attributes that are configured on that asset, which are:

  • Business Criticality (Critical, High, Moderate, Low)
  • Data Sensitivity (Critical, High, Moderate, Low)
  • Network Exposure (Internal, External)
  • Compliance Scope (In-Scope, Out-Of-Scope)

At a project level, each risk attribute has a relative weighting (integer) number between 0 and 10 applied to it. The weights are considered together and proportionally scale each risk attribute's value when the asset base risk score is calculated. For this reason, setting each value to 10 will not affect the risk score for assets any differently than if each value was set to 5. As the attributes are scaled according to their relative weights they will simply all be weighted equally to each other.

Example Weighting

Suppose your risk weightings are as follows:

  • Business Criticality set to 10
  • Data Sensitivity set to 5
  • Network Exposure set to 0
  • Compliance Scope set to 0

In this configuration, the all asset base risk scores will comprised of two-parts Business Criticality and one part Data Sensitivity. The risk score will never change if the Network Exposure or Compliance Scope values change as they are both weighted 0 and do not contribute to the asset base risk score.

Consider two assets A and B with identical findings but where asset A has a Business Criticality value of Critical and Data Sensitivity value of Moderate, and asset B has a Business Criticality value of Moderate and a Data Sensitivity value of Critical.

In this scenario, even though the underlying findings are the same, asset A will have a higher base risk score because in Business Criticality has been weighted to be twice Data Sensitivity.

Considerations

When deciding on risk weightings for your organization, it's important to consider both your business and industry's context, as well as the reliability of the data that you have available to you.

Business & Industry Context

It's common for particular businesses or industries to place a higher weighting on certain types of risk attributes due to their role in the company's ongoing operations and success. For example, if you are an eCommerce company you may consider uptime of systems to be of utmost importance as each minute of downtime could result in thousands or millions or dollars in lost revenue. Because of this, you may decide to place a higher weighting on business criticality than, say, data sensitivity or whether or not an asset is public facing or not.

Alternatively, perhaps you are a Banking or Financial company. Uptime may still be of high importance to your company, however as Banking and Financial companies often operate in highly regulated environments and transact a large amount of sensitive information, you may, decide that these two risk attributes are of equal or greater importance than uptime and adjust these to be higher.

Data Reliability

Data reliability is also important when considering how to weight risk attributes for your organization, especially if improving the quality and reliability of asset data isn't feasible in the short or medium term. Placing equal or high weights on an attribute that isn't underpinned by reliable data can lead to miscalculating the actual risk faced by certain assets, causing either an overemphasis or underemphasis on certain findings, assets or asset groups. This misalignment can result in inadequate security measures for critical vulnerabilities or unnecessarily allocating resources to remediating issues in less critical areas.

For example, if business criticality and data sensitivity are the only attributes that are backed by reliable data, then even if compliance scope or network exposure is important to your company it would be prudent to weight these attributes lower. By prioritizing more reliable data, the remediation activities that your company chooses to conduct become more grounded in reality, leading to an overall more effective vulnerability management program.

Industry Examples

The following is a list of common industries and risk attribute weightings. These weightings reflect a balance between the typical assets involves, the nature of data handled, the regulatory environment, and the external risks faced by each industry. Please note that adjustments might be necessary based on your specific company circumstances (such as data reliability), or industry changes.

1. Agriculture

  • Business Criticality: 4
  • Data Sensitivity: 3
  • Compliance Scope: 5
  • Network Exposure: 3

Reasoning: In agriculture, compliance (especially environmental and safety standards) is often a critical concern, while the sensitivity of data and business criticality of assets are moderately important.

2. Automotive

  • Business Criticality: 7
  • Data Sensitivity: 6
  • Compliance Scope: 5
  • Network Exposure: 7

Reasoning: The automotive industry involves significant risks in terms of business operations (manufacturing disruptions, etc.) and exposure due to integration with global supply chains and technologies.

3. Banking and Finance

  • Business Criticality: 6
  • Data Sensitivity: 10
  • Compliance Scope: 10
  • Network Exposure: 4

Reasoning: Data sensitivity and compliance are paramount in banking and finance due to financial regulations and the need to protect customer data.

4. Construction

  • Business Criticality: 7
  • Data Sensitivity: 4
  • Compliance Scope: 8
  • Network Exposure: 6

Reasoning: Compliance and business criticality are high in construction due to safety regulations and the impact of project delays or failures.

5. Education

  • Business Criticality: 5
  • Data Sensitivity: 7
  • Compliance Scope: 6
  • Network Exposure: 3

Reasoning: Data sensitivity is crucial in education for protecting student information, while compliance with educational standards and regulations is also important.

6. Energy

  • Business Criticality: 10
  • Data Sensitivity: 7
  • Compliance Scope: 8
  • Network Exposure: 8

Reasoning: Energy assets are often of high business criticality due to their impact on broader economic and social structures. Compliance and exposure are also significant due to regulatory scrutiny and security concerns.

7. Healthcare

  • Business Criticality: 8
  • Data Sensitivity: 10
  • Compliance Scope: 10
  • Network Exposure: 4

Reasoning: Protecting patient data and adhering to health regulations are top priorities, making data sensitivity and compliance the highest weighted attributes.

8. Information Technology

  • Business Criticality: 6
  • Data Sensitivity: 9
  • Compliance Scope: 6
  • Network Exposure: 9

Reasoning: Data sensitivity and exposure are critical due to the high risk of cyber attacks and the importance of maintaining service availability and data integrity.

9. Manufacturing

  • Business Criticality: 8
  • Data Sensitivity: 5
  • Compliance Scope: 7
  • Network Exposure: 5

Reasoning: Business criticality is high due to the impact of production assets, while compliance related to safety and environmental standards is also important.

10. Media and Entertainment

  • Business Criticality: 5
  • Data Sensitivity: 7
  • Compliance Scope: 4
  • Network Exposure: 6

Reasoning: Data sensitivity (e.g., protecting intellectual property) is relatively more important than compliance in this less regulated industry.

11. Retail

  • Business Criticality: 6
  • Data Sensitivity: 7
  • Compliance Scope: 5
  • Network Exposure: 7

Reasoning: Data sensitivity (consumer data protection) and exposure (due to the public nature of retail operations) are significant concerns.

12. Telecommunications

  • Business Criticality: 7
  • Data Sensitivity: 8
  • Compliance Scope: 6
  • Network Exposure: 9

Reasoning: High exposure due to network infrastructure being critical and vulnerable to attacks; data sensitivity is also crucial.

13. Tourism and Hospitality

  • Business Criticality: 5
  • Data Sensitivity: 6
  • Compliance Scope: 5
  • Network Exposure: 7

Reasoning: Exposure is a key risk due to the high interaction with customers and the need for operational continuity.

14. Transportation

  • Business Criticality: 8
  • Data Sensitivity: 6
  • Compliance Scope: 7
  • Network Exposure: 9

Reasoning: Exposure and business criticality are high due to the reliance on infrastructure and the potential impacts of disruptions.

15. E-commerce

  • Business Criticality: 8
  • Data Sensitivity: 9
  • Compliance Scope: 6
  • Network Exposure: 10

Reasoning: Exposure is high due to constant internet connectivity, requiring stringent data protection for extensive customer information, while the uninterrupted operation of e-commerce platforms is essential for maintaining business continuity.

Organization & Project Risk Settings

Risk attributes can be weighted at both the organization and project levels.

Organization & Project Risk Weighting Interaction

Although risk attributes can be weighted at both the organization and project levels, these do not interact with each other when calculating risk scores.

Organization Risk Settings control the default risk attribute weights for all projects within your Nucleus organization and can be overriden at the Project level. If you set weightings at the organization level but not at the project level, all projects will have that weighting.

If you configure risk attribute weights within a project itself, these weights take precedence over the organization-level weights and will apply within that project. Any changes to the organization-level weights will have no impact in the project.

Adjusting weightings at the Project Level

  1. Navigate to Global Dashboard > Select your project > Project Administration > Risk Settings.

project risk settings.png

  1. In the pop-up modal, adjust the setting for each of Business Criticality, Data Sensitivity, Network Exposure and Compliance Scope.

risk setting popup.png

  1. Click Save.

After saving, the project's risk scores will be recalculated. This may take a few minutes to complete.

Adjusting weightings at the Organization level

  1. In Nucleus, navigate to Global Dashboard -> Global Administration > Risk Settings.

org risk settings.png

  1. In the pop-up modal, adjust the setting for each of Business Criticality, Data Sensitivity, Network Exposure and Compliance Scope.

adjust org risk settings.png

  1. Click Save.

After saving, each project's risk scores will be recalculated. This may take a few minutes to complete.