Automate and Contextualize Security Issue Risk Rating

Automate security weakness risk rating with business impact as the context.

Organizations need to assign risk ratings to identified security weaknesses (vulnerabilities) in order to prioritize the remediation based on the risk. The security vulnerability risk rating needs to be contextualized to the organization’s business profile. For instance, a vulnerability resulting in information disclosure should have much higher risk rating in a military organization than the same one in a social media application.

The risk rating also needs to follow an established methodology such as operational risk management(ORM).


The threat modeling engine uses the risk and business profile (e.g, confidential requirements of an application) as threat modeling input. It also automates the risk rating with ORM model and incorporates both the impact and likelihood of identified security weaknesses.


Automate business impact rating of security threats contextualized for the business risk profiles of the enterprise.


Organizations need to associate the security weakness identified in security risk analysis with impact to its business so they can make risk based decisions, as impact is half of the equation of proper risk rating.


The same technical security weakness may have very different business impact, depending on what business functionalities the vulnerable components support. For instance, the same cross-site-scripting (XSS) vulnerability will have very different impact for customers login page of an online banking portal than a BBS page.



Most of the security tools that identify security weaknesses (e,g, vulnerability scanner) do not include business impact in their out-of-box risk rating method. Further more, most of them do not provide capabilities to contextualize risk rating with business impact. Such cookie-cutter risk rating does not help the organizations to prioritize the remediation.


CyberSage incorporates threat and impact analysis of IT assets in security issue risk rating in two ways:


associate security weakness to the business impact specific to the organization.


More details in CyberSage White Paper