Risk model methodology

How the Business Risk Score is calculated

This tool does not replace CVSS, EPSS, CISA KEV or enterprise vulnerability management platforms. It creates a transparent contextual business risk score by combining technical severity, exploitation likelihood, asset exposure, business impact and compensating controls.

Important: This score is a decision-support aid. It does not guarantee accuracy, completeness or fitness for any specific compliance framework. Always validate findings with qualified security professionals.
Model version
v0.2-calibrated
Score range
0 – 100
Critical threshold
90+
Critical SLA
7–14 days

Model overview

The model starts with CVSS as the technical baseline. It then adds contextual factors that are normally missing from raw CVSS prioritization: exposure, asset type, exploit maturity, EPSS, KEV, data sensitivity, business criticality, patch complexity and compensating controls.

Business Risk Score = CVSS technical base + exposure + asset impact + exploit maturity + EPSS + KEV + business criticality + data sensitivity + patch complexity + authentication adjustment − compensating controls
CVSS is the technical baseline, not the final priority
Exploitation intelligence (EPSS and CISA KEV) weights active threats higher
Asset exposure and type change the business blast radius
Business criticality and data sensitivity connect to organisational impact
Compensating controls reduce but do not eliminate risk
Patch complexity affects the remediation window and urgency

Score ceiling: The composite is capped at 100, so on highly exposed findings the raw total can exceed the ceiling before compensating controls are applied, absorbing part of their visible effect on the final score. When this occurs, the risk summary shows the pre-mitigation exposure score and the number of points absorbed by the cap.

CVSS technical baseline

CVSS remains the technical severity input. The business score does not overwrite CVSS; it uses CVSS as one part of a broader prioritization model.

Current formula
CVSS technical base = CVSS score × 4.0

Exposure scoring

Exposure is one of the strongest business risk drivers because it changes how reachable the vulnerable asset is.

FactorPointsReason
Internet-facing+20Directly reachable from the public internet
Internal prod+12Reachable within the production network
Dev/Test+4Isolated from production systems
Air-gapped0No network path to sensitive systems

Asset impact scoring

Different asset types have different blast radius. Identity, edge and database systems are weighted higher than workstations or dev/test systems.

FactorPointsReason
Identity (IdP/AD)+18Credential compromise affects entire estate
Internet edge+16Public-facing perimeter with direct attacker access
Database+14Contains sensitive or regulated data
Workstation+6Limited blast radius in most configurations

Exploit maturity scoring

The model increases urgency when exploitation is known, weaponized or publicly demonstrated.

FactorPointsReason
Confirmed in wild+20Active exploitation documented by reliable sources
PoC public+14Weaponized exploit code publicly available
Theoretical+4No known exploitation path or public code
Not applicable0No exploit path exists

EPSS scoring

EPSS represents probability-oriented exploit intelligence. Higher EPSS increases the score.

FactorPointsReason
≥ 90%+20Extremely high exploit probability per FIRST EPSS
50–89%+12High exploit probability
10–49%+6Moderate exploit probability
< 10%0Low exploit probability

Business criticality scoring

Business importance changes remediation priority even when technical severity is the same.

FactorPointsReason
Mission critical+16Disruption causes immediate business impact
Business important+10Disruption degrades key business processes
Standard+4Low business dependency
Low0Minimal business function dependency

Data sensitivity scoring

Regulated, financial, personal or confidential data increases business impact.

FactorPointsReason
Regulated (PCI/HIPAA/GDPR)+16Breach triggers regulatory notification obligations
Financial+12Financial data exposure increases impact
Confidential+8Internal sensitive data at risk
Public0No sensitive data at risk

Patch complexity scoring

Difficult patching increases the exposure window and may require compensating controls.

FactorPointsReason
Requires downtime+10Patch window must be scheduled, increasing exposure
Requires testing+6Regression risk slows remediation
Simple0Drop-in patch with no disruption

Compensating controls

Controls reduce urgency but do not remove the underlying vulnerability.

FactorPointsReason
Network isolation-10Segmentation limits reachability
WAF / virtual patch-8Active filtering reduces exploitation likelihood
MFA enforced-6Credential-based exploitation harder
EDR monitoring-4Active detection reduces dwell time

KEV and authentication adjustments

CISA KEV
+15

Known-exploited vulnerabilities represent active, real-world attack activity and require urgent treatment.

Authentication required
−5

Requires credentials, reducing the pool of potential attackers and exploitation speed.

No authentication required
+8

No credential barrier; any network-reachable attacker can attempt exploitation.

Future enrichment sources

In the production version, manual inputs can be automatically enriched from public security sources. Internal business context will still need to come from the user, CMDB, asset inventory or vulnerability management platform.

NVD

CVE description, CVSS score, vector, affected products and references.

FIRST EPSS

Exploit probability score and percentile for known CVEs.

CISA KEV

Known exploited vulnerability status and remediation urgency.