The Site Report Card report aims to provide you with a way to grade each Nexpose site "against the curve" – that is, an opportunity to understand which business units’ systems are succeeding (or falling behind) in their efforts to minimize risk in their respective environments relative to each other. By providing an overview of the highest risk assets, vulnerability counts, threat exposures faced, and a look into the age of the scan data itself within any given site, you can obtain a quick understanding of that site’s risk profile at that time. And since our grading framework works against the curve, our sites’ ability to achieve an A status is only possible if it works that much harder than its counterparts to reduce risk on each system.
The grading framework works by calculating the average risk of the assets within a site for each site in scope. The average of this average sets the curve. From there, the curve is defined in the following way:
- A - a site's average risk per asset is more than 15% lower than the average
- B - a site's average risk per asset is between 5% and 5% lower than the average
- C - a site's average risk per asset is within 5% of the average
- D - a site's average risk per asset is between 5% and 15% higher than the average
- F - a site's average risk per asset is more than 15% higher than the average
Because of this curved grading system, as remediations are performed sites will tend to move towards a C, but outliers for low or high risk will remain in the higher (A-B) or lower (D-F) grade categories. The more sites you place in the scope of the report, the better as is this will allow the curve to better suit the average. If you report on only one site, this will clearly result in a grade letter of "C".
Below is an example of a report card for a site that is doing just slightly worse than the average.