Understanding Asset Priority (Advanced Rating Methodology only)
Asset Priority is a value (1-10) you set for your site assets based on how critical those site assets are to you. A value of 1 indicates the lowest level of importance, while a value of 10 is absolutely critical to your company. By setting the Asset Priority, you determine the urgency associated with vulnerabilities found on that asset.
If you do not set a value for Priority, it will not be considered in calculating the risk rating of any vulnerability found on the asset. Therefore, the urgency of any associated vulnerabilities will be neither increased nor decreased.
How Asset Priority Affects the Impact Value
When calculating the risk rating for a particular vulnerability, the Threat Research Center assigns it a Base Impact value between 0 (the lowest potential impact) and 9 (the highest potential impact), depending on how much damage could be caused by this particular vulnerability. The Net Impact value is calculated by using the priority you have set for the asset as a weighting factor applied to the Base Impact value. Essentially, the Asset Priority allows you to flag those assets that need the greatest or least scrutiny.
If the priority is set to one (the lowest possible value) then the range for the Net Impact is reduced—more vulnerabilities will be set to "Low Impact," and vulnerabilities that would otherwise be set to "High" will be set to "Medium" instead. If you have assets that are inherently low-risk—having no personally identifiable information, say, and no forms or any level of user interaction—this allows you to filter out moderate vulnerabilities associated with those assets so that you don’t spend time remediating those vulnerabilities and can instead focus on assets that are of more immediate importance to your business.
If the Priority is set to 1, the Net Impact will be reduced, and the eventual Risk Rating reported will be lower. (See the following table.)
| Base Impact | Net Impact |
|---|---|
1 (low) |
Low |
3 (medium) |
Low |
5 (medium) |
Low |
7 (high) |
Medium |
9 (high) |
Medium |
Setting a Priority value of 1, 2, 3, or 4 will always reduce the Impact value used to calculate the risk rating for a vulnerability; a Priority of 1 will reduce that the most, while Priorities 2-4 will reduce it correspondingly less. The following table will show you the effect of setting the Priority to 4.
| Base Impact | Net Impact |
|---|---|
1 (low) |
Low |
3 (medium) |
Medium |
5 (medium) |
Medium |
7 (high) |
Medium |
9 (high) |
High |
Priorities of 5 and 6 are right in the middle of the range for Priority, and therefore have the least effect on the resulting Net Impact and the eventual Risk Rating calculation. A Priority of 5 will slightly flatten the Impact value, so that a vulnerability that would have been rated High Net Impact may be rated as Medium Net Impact instead. (See the following table.)
| Base Impact | Net Impact |
|---|---|
1 (low) |
Low |
3 (medium) |
Medium |
5 (medium) |
Medium |
7 (high) |
Medium |
9 (high) |
High |
Similarly, setting an asset’s Priority to 6 will slightly increase the Net Impact Rating associated with vulnerabilities for that site, so that a vulnerability that would have been rated as Low Impact will be rated as Medium Impact instead, potentially increasing the eventual Risk Rating. (See the following table.)
| Base Impact | Net Impact |
|---|---|
1 (low) |
Medium |
3 (medium) |
Medium |
5 (medium) |
Medium |
7 (high) |
High |
9 (high) |
High |
Setting a Priority value of 7 or more will consistently increase the Net Impact value used to calculate the risk rating for a vulnerability; a Priority of 10 will increase it the most, while Priorities 7-9 will increase it correspondingly less. The following tables will show you the effect of setting the Priority to 7 or of setting the Priority to 10.
| Base Impact | Net Impact |
|---|---|
1 (low) |
Medium |
3 (medium) |
Medium |
5 (medium) |
Medium |
7 (high) |
High |
9 (high) |
High |
| Base Impact | Net Impact |
|---|---|
1 (low) |
Medium |
3 (medium) |
High |
5 (medium) |
High |
7 (high) |
High |
9 (high) |
High |
Whether the Priority is set to a low, mid-, or high value for a given asset, not all Impact Values will be affected; however, if the Priority is set to five or less, the trend will be downward. If the priority is set to six or more, the trend will be upward. If the Priority is six or more, no vulnerability will be reported as having an Impact Value of Low; if the Priority is three (3) or less, no vulnerabilities will be reported as having an Impact Value of High.
How Changes in Impact Value Can Affect the Rating
The final Risk Rating for a vulnerability is determined by combining the Impact—how much damage the vuln could allow a hostile user to cause—and the Likelihood. The Likelihood value is set by the Threat Research Center engineers based on how difficult a particular vulnerability is to exploit.
These two factors are compared to determine the final Risk Rating, as shown in the Risk Rating Table.
Likelihood |
|||
|---|---|---|---|
Net Impact |
Low Likelihood |
Medium Likelihood |
High Likelihood |
Low Impact |
Risk: Note |
Low Risk |
Medium Risk |
Medium Impact |
Low Risk |
Medium Risk |
High Risk |
High Impact |
Medium Risk |
High Risk |
Critical Risk |
Based on this, then, you can see that a Priority value that tends to decrease the Net Impact for a vulnerability found on a given asset will tend to lower the Risk Rating for that vulnerability; similarly, a Priority value that tends to increase the Net Impact for a vulnerability found on a given asset will tend to raise the Risk Rating for that vulnerability.
This allows you to automatically increase the priority you give to vulnerabilities found on sites of more importance, and decrease the priority you give to vulnerabilities found on sites of less importance, simplifying your vulnerability triage process.
To set your site priority after onboarding the site, please see Setting Site Priority.
For additional information on the Ratings, please see Understanding the Rating Methodologies.