The Entity Criticality Factor is meant to approximate the relative importance of an entity.
By default, the Entity Criticality Factor is equal to the criticality of an entity. Typically, this will take one of the following values:
- High = 10
- Medium = 6
- Low = 3
- Unknown (not set) = Null
You can modify the Entity Criticality Factor equation to have a maximum of four variables. Therefore, you can add up to the three additional criteria to the entity criticality attribute, or if you remove the entity criticality, you can add up to four additional criteria. These criteria are custom attribute string values. You can assign a corresponding number that determines the weight of that variable for each of these values.
The Entity Criticality Factor can be calculated with the following formula:
Entity Criticality Factor = Entity Criticality * Custom Attribute String 1 * Custom Attribute String 2 * Custom Attribute String 3
Or
Entity Criticality Factor = Custom Attribute String 1 * Custom Attribute String 2 * Custom Attribute String 3 * Custom Attribute 4
There cannot be more than 4 arguments in a formula, but you can use operations other than multiplication. The Custom Attribute Strings must have a number associated with each possible value.
For example, if you used PCI as a custom attribute, and the possible values were “Yes” and “No”, then you may decide to make “Yes” = 1 and “No” = .5, so that if an entity is not in scope for PCI, then the risk of any vulnerabilities on that entity would be reduced, all other factors being the same, as compared to an entity that is in scope for PCI.
Another example of how a custom attribute can be used in the calculation of an entity criticality factor is if you had a custom attribute that represented an entity location within a network. For example, you could use the following scale:
- DMZ = 2
- Internal network – edge = 1
- Internal network – core = .5
Note that this would only approximate the location, and other factors of the Entity Criticality Factor equation could, and probably will, result in some entity that are in the core of the network, and therefore behind multiple firewalls, having a higher entity criticality factor.
For a discussion about how to equate the labels of a custom attribute with numerical values, please see the section “Assigning Numerical Values to Custom Attributes.”