Configure security ratings

AFA reports' Home and Risks pages display a security rating which indicates the device's degree of compliance with security standards.

Note: It is possible for a device with more risks to have a higher security rating than a device with fewer risks.

The Security Rating is calculated as the ratio of the number of risks detected vs. the number of risks searched for, and the total number of risks searched for differs per device.

If a device has multiple interfaces and some are configured as Internal, some as External, and some as DMZ, more risks will be searched for than on a device with only an Internal and External interface. Also, some risks are defined only for specific device vendors.

Security rating calculation

AFA calculates the security rating with the following formula:

Security rating = 100 x (1 - (W1X1 + W2X2 + W3X3 + W4X4) / (W1T1 + W2T2 + W3T3 + W4T4))

where:

This variable...

Represents...

W1

The weight of High risks.

Default = 10.

W2

The weight of Suspected High risks.

Default = 4.

W3

The weight of Medium risks.

Default = 2.

W4

The weight of Low risks.

Default = 1.

X1

The number of High risks detected in the current device policy.

X2

The number of Suspected High risks detected in the current device policy.

X3

The number of Medium risks detected in the current device policy.

X4

The number of Low risks detected in the current device policy.

T1

The maximum number of High risks possible for the device. This is determined by the device's brand and topology.

T2

The maximum number of Suspected High risks possible for the device. This is determined by the device's brand and topology.

T3

The maximum number of Medium risks possible for the device. This is determined by the device's brand and topology.

T4

The maximum number of Low risks possible for the device. This is determined by the device's brand and topology.

Security rating calculation background

In ASMS's security rating calculation, risk is determined by the weakest link in the defense. This means that several well-configured devices do not mitigate the risk posed by a single, badly-configured device.

ASMS, therefore, cannot determine the security rating for a group of devices as a simple average of the security ratings of the group's members. Instead, ASMS looks at all possible risk items as a "whole", and deducts one "point" for every risk item flagged on at least one group member.

This approach may lead to scenarios where the security rating of a group is even lower than that of each group member.

For example, suppose the following:

  • There are 100 possible risk items
  • There are 100 devices in the group
  • Each device is flagged for a single risk item.

In this case, the security rating of each device will be 99, because 99 of the 100 possible risk items are not flagged.

The case may differ as follows:

If the same risk item is flagged on all 100 devices

The group security rating will also be 99, since 99 of the 100 possible risk items are still not flagged.

If each device is flagged for a different risk item

The group security rating will be 0, because 100 out of 100 possible risk items are flagged for at least one group member.

Customize security rating settings

You can customize the security rating by changing the weight assigned to each type of risk. In addition, you can customize the security rating bar's appearance in reports, and the number of days included in the Security Rating Trend graph in the Risks page of reports.

Do the following:

  1. In the toolbar, click your username.

    A drop-down menu appears.

  2. Select Administration.

    The Administration page appears, displaying the Options tab.

  3. Click the Compliance tab.

    The Compliance tab appears, displaying the Risk Profiles sub-tab.

  4. Click .

    The Security Rating Settings dialog is displayed.

  5. Complete the fields using the information in the following table.

    Days in Trend Graph

    Type the number of days to include in the Security Rating Trend graph in the Risks page of reports.

    The default value is 180 days.

    Low Breakpoint

    Type a number representing the point on the security ratings bar where the bar should changes from red to yellow, if the leftmost end of the bar is 0 and the rightmost end is 100.

    The default value is 50.

    High Breakpoint

    Type a number representing the point on the security ratings bar where the bar should change from yellow to green, if the leftmost end of the bar is 0 and the rightmost end is 100.

    The default value is 85.

    Formula Weights

    Enter the desired weight for each risk type.

  6. Click OK.