How does the CyberRisk work?
The CyberRisk is displayed within the Website security check and NetCaptain with all systems and is intended to indicate how (un) secure a system is. It is good to realize that we cannot speak of a safe system when the CyberRisk is below a certain value. In general, however, we can say that when the CyberRisk has increased, the chance of abuse increases. The CyberRisk will help you determine if you are on the right track in terms of security. The higher the CyberRisk, the higher the risk.
How is the CyberRisk calculated?
The minimum score is a CyberRisk of 100. This indicates that there is always a risk, even if all findings have been resolved. It may be that there are vulnerabilities in the system that have not yet been discovered. The CyberRisk score is determined as follows: it looks at the open vulnerabilities; we count low findings once, medium findings three times, high findings twelve times and critical findings fifteen. Obviously, we do not count resolved findings. Within NetCaptain and Colony it is possible to indicate whether a system is internet facing (for example a website). In that case, the score will be increased by 20%. Servers that hackers can access directly run a greater risk of being attacked. With the Website security check and WebShepherd, this bonus is included as standard because websites are by definition internet facing.
The graph above shows how the CyberRisk relates to the number of vulnerabilities. The red line is CyberRisk, the blue is the number of vulnerabilities. After the first scan, 100 vulnerabilities are resolved. It is striking that this makes little difference to the CyberRisk: after the second scan there is practically no decrease to be seen. This is because the focus was on brushing away trivial findings as quickly as possible. If we then look at the last scan, we see that another 100 findings have been resolved, but that this time we looked at what is important. As a result, we see that the CyberRisk has been cut in half. The above example shows well how the CyberRisk can help to check whether the focus is right, are we solving risk based, or are we going for quantity?