What Does Each Risk Score Mean? (CVSS, Dread)

A Risk Score is a numerical measure that quantifies an identified risk, ranging from 0 to 10, where 0 is extremely low risk and 10 is extremely high risk. They help you manage and understand your risk when considering the security of your organization. 

The risk scores are calculated based on an industry-standard calculator that helps determine the risk level. For general reference in CVSS, the scores between 0.1-3.9 are considered Low, 4.0-6.9 are Medium, 7.0-8.9 are High and 9.0-10.0 are considered Critical. 

CVSS

The Common Vulnerability Scoring System (CVSS) measures the severity of a vulnerability in information security by representing the vulnerability numerically from 0 to 10; with 0 being the lowest vulnerability level and 10 being the highest. 

Infosec teams use the CVSS scores in order to compare the vulnerabilities and determine which ones should be addressed first. 

DREAD

The DREAD risk score receives its name as an acronym from the factor that is calculated to get the risk score;

• Damage potential  — How much are the assets affected?
• Reproducibility — How easily can the attack be reproduced?
• Exploitability — How easily can the attack be launched?
• Affected users — What’s the number of affected users?
• Discoverability — How easily can the vulnerability be found?

By answering the questions above and calculating rating values for each item, the threat is classified as high, medium, or low. The severity is represented by rating values, which are expressed numerically (3-high, 2-medium, 1-low).

Likelihood

The Likelihood of a finding is the probability of it being exploited thereby causing damage to the organization. The likelihood is determined by monitoring the security programs, policies, and controls constantly for efficiency against an evolving threat in the landscape. 

The different Likelihood levels are Low, Medium, High, and Critical.