Remediation Analytics and Scoring

Before we begin, please note that Remediation Score is a Cisco Vulnerability Management - Premier feature.

The Kenna Risk Score provided a way for security and remediation teams to measure their progress in reducing risk—a far more useful and meaningful metric than simply counting closed vulnerabilities.

The Remediation Analytics and Score is aimed at helping organizations measure their remediation performance—the effectiveness of their team to drive down organizational risk by remediating the vulnerabilities that matter most. As mentioned above, Remediation Analytics and Scoring is available as part of the Cisco Vulnerability Management Premier offering.

The composite score is comprised of four metrics - coverage, efficiency, velocity, and capacity. These are combined to provide an overall score. When you click on the score, you can view the sub-scores for each metric.  

Coverage 

Coverage measures the completeness of your remediation. It asks the question, “Of all vulnerabilities that should be remediated (the ones that are truly high risk), what percentage was correctly identified for remediation?” It assesses if you’re fixing the vulnerabilities that really matter. 

Coverage is calculated: 

[Number of closed vulnerabilities with an active internet breach or easily exploitable vulnerability definition] / [Total of all vulnerabilities with an active internet breach or easily exploitable vulnerability definition] * 100

Efficiency

Efficiency measures the percentage of remediations that address high-risk vulnerabilities.  This metric helps us gauge if we’re spending our resources on the right things. 

Efficiency is calculated: 

[Number of remediations that have at least one Active Internet Breach or Easily Exploitable categorization] / [Total of all remediations] * 100

Velocity

Velocity measures the speed and progress of remediation. Velocity asks, “How quickly are issues addressed and how long do they persist within and/or across assets?​” 

Velocity is calculated: 

Minimum(365, Number of days between vulnerability close date and vulnerability creation date) else Minimum(365, Number of days between current date and vulnerability creation date)

Capacity

Capacity measures the average proportion of open vulnerabilities closed in a given time period.  

Capacity is calculated: 

[Number of vulnerabilities open on all assets at beginning of month] / [Number of vulnerabilities closed on all assets in the past 30 days of that month] (calculated for each month) / number of months on all asset’s life (capped at 12 months)

For guidance on how to better your remediation score and sub-scores, please speak with your customer success or sales representative. 

You can also learn more by reading the following research reports from Cisco and the Cyentia Institute:

Prioritization to Prediction—Volume 2: Getting Real About Remediation

Prioritization to Prediction—Volume 3: Winning the Remediation Race

Prioritization to Prediction—Volume 4: Measuring What Matters