Risk level
The risk level indicates how problematic an existing vulnerability can be for a specific asset. There are the following risk levels:
| Risk level | Meaning: The vulnerability ... | Example |
|---|---|---|
| No risk | … cannot affect the asset | |
| Critical | … can have a critical impact on the asset |  |
| High | … can have a high impact on the asset |  |
| Medium | … can have a medium impact on the asset |  |
| Low | … can have a low impact on the asset |  |
| Undefined | … can have an undefined impact (none to critical) on the asset. The impact is undefined because the asset is not assigned to any zone |  |
SINEC Security Guard calculates an individual risk level for each vulnerability of an asset. This calculation is based on:
-
the CVSS of the considered vulnerability and
-
the 'Business Criticality' and 'Exposure` of an asset.
Thus, the risk level facilitates the prioritization of addressing open vulnerabilities. By considering zone- and asset-specific factors, the urgency of vulnerabilities can be determined on an asset-specific basis.
-
CVSS considers the worst possible impact of a vulnerability. All assets affected by the same vulnerability are considered equally in need of protection by the CVSS.
-
The risk level, in addition to the CVSS, also considers the asset-specific situation, e.g., a particular importance of the asset for business success or the existing protection of a zone by a firewall.
| Criteria | CVSS | Risk level |
|---|---|---|
| Consideration of the worst-case effects | Yes | Yes (uses the CVSS score) |
| Consideration of zone-/asset-specific business criticality | No | Yes |
| Consideration of zone-/asset-specific protection mechanisms (exposure) | No | Yes |
| Example of two identical assets with a vulnerability with a CVSS score of 7.2: | ||
| Asset A in zone 'chemical reactor' (high business criticality, high exposure) | Asset A: 7.2 | Asset A: Critical |
| Asset B in zone 'shipping' (low business criticality, medium exposure) | Asset B: 7.2 | Asset B: Medium |
| Conclusion: | Both assets appear to be in need of protection to the same extent | Asset A should be protected more urgently against the vulnerability |
Similar assets with the same vulnerability, belonging to different zones with different values for business criticality and exposure, can lead to different risk levels.
An asset can have several vulnerabilities and therefore have several risk levels at the same time. The total risk level of the asset is always the highest of all risk levels.
Example:
If Vulnerability 1 on an asset causes a low risk level and Vulnerability 2 on the same asset causes a medium risk level, the total risk level of the asset is medium.
The risk status and the specific risk level of an asset depend on the events that occur on the asset.
| Event on an asset | Risk status | Example of the asset's risk level due to the vulnerability |
|---|---|---|
| Vulnerability has been newly identified | Open | 'High' (has been recalculated) |
| Risk-eliminating tasks are planned | Managed | 'High' (planning does not change the risk level) |
| Tasks have been implemented, vulnerability has been eliminated | Performed | 'No risk' |