In what is the Risk Score based?

[danielgielowjr]

I'm trying to understand more about de Risk Score and I faced this formula in Metrics class:

public static double inheritedRiskScore(final int critical, final int high, final int medium, final int low, final int unassigned) {
        return (double) ((critical * 10) + (high * 5) + (medium * 3) + (low * 1) + (unassigned * 5));
    }

So I was left with some doubts,
Is this formula a universal way to calculate risk?
What is the formula based on?

Thanks,
Daniel

[stevespringett]

Currently, it's more of a weighted severity score and is similar to what tenable uses in their products.
https://community.tenable.com/s/article/Vulnerability-Weight-and-Scores

Other security vendors use variations of essentially the same thing. Risk management however, takes into consideration impact and likelihood. CVSS and other vulnerability scoring systems do not attempt to communicate risk, only severity.

Eventually, the auditing framework that's in place for policy violations will be combined with some new attributes for projects that describe the asset, data classifications, business criticality, etc, which will be used to calculate more realistic risk scores. However, all of that is optional. When complete, it will likely use the OWASP Risk Rating algorithm (or a variation of it). That final calculation will be used in the weighted scoring you outlined above.

I don't know if there's a ticket open to track that or not, but if that's a feature you'd like to see implemented and would like to track, I'd encourage you to create an enhancement.