Company risk score
The Company risk score represents the overall level of risk your organization is exposed to by misconfigured system settings, known vulnerabilities of currently installed applications, and risks generated by user behavior.
The score can have a value between 0 and 100, and is composed of a base score and, if present, multiple modifiers.
How the company risk score is calculated
The company base score is calculated based on the individual base score of all risk types, to which modifiers are added to establish to final company risk score.
Each risk type type has a different base score calculation, and it's own specific modifiers:
Risk type | Base score calculation | Possible modifiers |
|---|---|---|
Findings (IOR) | Established by Bitdefender security experts. Possible values:
| Organization-level impact - This score is established by the number of endpoints where the finding is present, in relation to the total number of endpoints managed by the company. |
Vulnerabilities | Defined based on the CVSS2 / CVSS3 scoring systems. | Organization-level impact - This score is established by the number of endpoints where the vulnerability is present, in relation to the total number of endpoints detected. The company industry - Relevant if this vulnerability is actively exploited. This is established based on information from out threat intelligence services. Active known exploits - If there are any known exploits currently being used to take advantage of the vulnerability. |
Identity based risks | Established by Bitdefender security experts. Possible values:
| Organization-level impact - This score is established by the number of identities the risk is applicable to, in relation to the total number of identities present in the company. |
Resources | Calculated based on the total number of findings and vulnerabilities. | Active identities - The number of active identities using the endpoint. High risk identity - If a high-risk identity has logged in and used the resource in the past 30 days. |
Identity risks | Calculated based on the total number of identity based risks triggered by the identity. | N/A |
Results are kept for 90 days, or until the next scan.
Running an on-demand Risk Scan can influence the overall score, due to changes in the environment that fixed a vulnerability, specific risks being ignored or no longer being ignored, new endpoints being scanned, new identities being detected, or other events and settings.