Risk Calculation

CloudGuard assesses cloud risk based on findings, exposure, privilege levels, and other factors.

CloudGuard gives a Risk Score to cloud assets. The Risk Score of a cloud asset is a number between 0.1 and 10.0.

CloudGuard gives a Risk Level to cloud environments. The Risk Level of a cloud environment is Low, Medium, High, or Critical.

This table shows the correspondence between Risk Levels and Risk Scores (and their background colors):

Risk Score	Risk Level	Background Color
0.1 - 3.9	Low
4.0 - 6.9	Medium
7.0 - 8.9	High
9.0 - 10.0	Critical

Asset Risk (Risk Score)

CloudGuard analyzes your cloud assets and gives a risk score to each supported asset. CloudGuard considers these factors:

The attack surface of each asset (for example, Common Vulnerabilities and Exposures (CVEs), misconfigurations, or Toxic Combinations)
The likelihood that the asset is a target for attacks (for example, publicly exposed assets or WAF availability)
The possible impact if the asset is compromised (for example, business priority)

CloudGuard recalculates the risk score after you change the rules for risk calculation and after you change the business priority of an asset. If you do not do one of these, CloudGuard recalculates the risk score once every several hours. For more information about rulesets and configuration instructions, see ERM Rulesets.

To see the risk score of your assets, navigate to Risk Management > Protected Assets. For more information, see ERM Protected Assets.

How CloudGuard Calculates a Risk Score

CloudGuard uses these findings to calculate a risk score:
- toxic combinations
- CVEs
- misconfigurations
- threats
- secrets
CloudGuard supports several vulnerability scanners. CloudGuard's AWP solution finds CVEs, threats, and secrets. In AWS Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments, Amazon Inspector v2 also scans assets for CVEs. The risk score calculation does not include vulnerabilities with Informational and Unknown severity.
CloudGuard classifies each finding by severity: Low, Medium, High, or Critical.
CloudGuard uses a formula to determine the risk score for an asset. These are general principles of how the formula compares assets:
1. An asset with a higher severity finding gets a higher risk score than an asset with lower severity findings.
  
  Example - Asset A has 1 High severity finding, and Asset B has 20 Medium security findings. Asset A gets a higher risk score.
2. If two assets have a highest-level security finding at the same level, the one with a larger number of findings at the highest level gets priority.
  
  Example - Asset C has 2 High severity findings, and Asset D has 4 High severity findings. Asset D gets a higher risk score.
3. If two assets have the same number of findings at the highest common level, the asset with more findings at the next highest level gets a higher risk score.
  
  Example - Asset E has 2 High severity findings and 2 Medium severity findings. Asset F has 2 High severity findings and 1 Low severity finding. Asset E gets a higher risk score.

How CloudGuard Modifies the Risk Score based on Context Modifiers

After CloudGuard takes findings into account, CloudGuard adjusts the risk score based on the business priority of the asset. For more information about Business Priority, see Business Priority.

In addition, CloudGuard modifies the Risk Score based on contextual data, including:

Network Exposure - The level of network accessibility from the public domain. If a network is partially public or private, CloudGuard reduces the risk score by a constant magnitude.
IAM Exposure - The level of asset accessibility from the public domain. If an asset is partially public or private, CloudGuard reduces the risk score by a constant magnitude.
IAM Sensitivity - The possible damage caused to the cloud environment because of IAM Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. permissions. The less sensitive the asset, the more CloudGuard reduces the risk score. For more information, see IAM_Sensitivity.
Data Sensitivity - Indicates if the data in the asset is sensitive or not. If the asset does not hold sensitive data, CloudGuard reduces the risk score by a constant magnitude.
WAF Protection - Adds a layer of security and reduces the risk score by a constant magnitude. For more information, see WAF Protection.

Environment Risk (Risk Level)

CloudGuard calculates a risk level for an environment. The risk level is based on the risk scores of the assets in the environment. The risk level calculation does not consider assets that are stopped and assets that have a risk score of zero. Environment Risk is supported for these platforms:

How CloudGuard Calculates Environment Risk

CloudGuard uses a formula to determine the environment risk. These are general principles of how the formula compares environments:

An environment with higher-risk assets gets priority over an environment with lower-risk assets.

Example - The highest-scoring asset in Environment A is in the Critical range. The highest-scoring asset in Environment B is in the High range. Environment A gets priority.
If two environments have assets at the same highest risk level, the environment with a larger number of assets at the highest level gets priority.

Example - The highest-scoring assets in Environment C and in Environment D are in the High range. Environment C has 10 assets in the High range Environment D has 4 assets in the High range. Environment C gets priority.
If two environments have the same number of assets at the highest common risk level, the environment with more assets at the next-highest level gets priority.

Example - The highest-scoring assets in Environment E and Environment F are in the High range. Environment E and Environment F each have 10 assets in the High range. Environment E has 25 assets in the Medium range. Environment F has 15 assets in the Medium range. Environment E gets a higher environment risk.