In Cisco Vulnerability Management, all vulnerabilities have 4 possible statuses: Open, Closed, Risk Accepted, & False Positive.
When utilizing the Risk Accepted vulnerability status, Cisco Vulnerability Management’s “True Risk Score” can help identify how much risk is truly present in your environment. Your “true risk score” for any given risk meter is calculated to include all risk accepted vulnerabilities that would fall into that asset group if they were not risk accepted. It lets you ask the following question: “What would my Risk Meter score be if none of the vulnerabilities had been marked risk accepted?”. This is what Cisco Vulnerability Management deems your “True Risk Score” for that group of assets.
For those more familiar with risk reporting terms, the risk meter score is "Residual Risk" and the True Risk score is "Inherent Risk".
The “True Risk Score” of any Risk Meter can be found on the reporting page, in the Risk Group Overview at the top (shown below). The link in blue is a count of the "risk accepted" vulnerabilities and clicking it will take you to the Vulnerability Management Explore page, filtered to view only those specific vulnerabilities.
If the Risk Meter has no Risk Accepted vulnerabilities, the “True Risk Score” metric will not appear, and the default block, risk score from 90 days ago, will display as shown below.
If you are using the API to pull risk meter reporting data from the Asset Groups endpoint, the True Risk score will always be included in the response regardless of whether there are Risk Accepted vulnerabilities or not. In the case that there are no Risk Accepted vulnerabilities, the Risk Meter score and True Risk score will be identical.
Comments
Please sign in to leave a comment.