Company risk score
The Company risk score represents the overall level of risk your organization is exposed to by misconfigured system settings, known vulnerabilities of currently installed applications, and risks generated by user behavior.
The score can have a value between 0 and 100, and is composed of a base score and, if present, multiple modifiers.
How the company risk score is calculated
The company base score is calculated based on the individual base score of all risk types, to which modifiers are added to establish to final company risk score.
Each risk type type has a different base score calculation, and it's own specific modifiers:
Risk type | Base score calculation | Possible modifiers |
---|---|---|
Misconfigurations (IOR) | Established by Bitdefender security experts. Possible values:
| Organization-level impact - This score is established by the number of endpoints where the misconfiguration is present, in relation to the total number of endpoints managed by the company. |
Vulnerabilities | Defined based on the CVSS2 / CVSS3 scoring systems. | Organization-level impact - This score is established by the number of endpoints where the vulnerability is present, in relation to the total number of endpoints detected. The company industry - Relevant if this vulnerability is actively exploited. This is established based on information from out threat intelligence services. Active known exploits - If there are any known exploits currently being used to take advantage of the vulnerability. |
User based risks (HBR) | Established by Bitdefender security experts. Possible values:
| Organization-level impact - This score is established by the number of users the risk is applicable to, in relation to the total number of users present in the company. |
Devices | Calculated based on the total number of misconfigurations and vulnerabilities. | Active users - The number of active users using the endpoint. High risk user - If a high-risk user has logged in and used the device in the past 30 days. |
User risks | Calculated based on the total number of user based risks triggered by the user. | N/A |
Results are kept for 90 days, or until the next scan.
Running an on-demand Risk Scan can influence the overall score, due to changes in the environment that fixed a vulnerability, specific risks being ignored or no longer being ignored, new endpoints being scanned, new users being detected, or other events and settings.