The Comprehensive Cybersecurity Risk Index (CCRI - pronounced "cry") assigns 5 metrics to each of the technical findings. Each vulnerability's CCRI score is calculated based on its Vulnerability Severity, Ease of Exploitation, Business Impact, Exposure, and Effort to Fix. All values are contextualized within the client's specific infrastructure and use a numeric scale of 1 to 10.
The radar chart corresponding to each finding visually identifies the specific metrics that comprise the Comprehensive Cybersecurity Risk Index (CCRI).
Try the CCRI calculator to compute your own scores and radar chart: https://ccri.dev/calc.html
Critical (C.#)
9-10
Exploitation could present an existential threat to the client, leading to loss of life, severe impact on availability of core services, unsustainable regulatory fines, or profound reputational impact.
High (H.#)
7-9
Exploitation could degrade core services, impact business operations, cause significant regulatory risk or reputational impact.
Medium (M.#)
5-7
Exploitation could have a moderate impact on business operations or minor regulatory and reputational consequences.
Low (L.#)
2-5
Exploitation would have minimal impact on business operations with little or no regulatory or reputational implications.
Informational (I.#)
—
Included for reference as an informational finding.
Vulnerability Severity
Core metric tracking the inherent gravity of the vulnerability irrespective of situational context and mitigations.
Ease of Exploitation
Defines the level of sophistication and expertise required to successfully exploit the vulnerability.
Business Impact
The potential impact of the finding on the client's business processes, reputation, and regulatory compliance.
Exposure
Specific degree to which the vulnerability is exposed in the client's infrastructure.
Effort to Fix
Expresses the time, human effort, and financial resources required to remediate or mitigate the finding.
