How organizations get a security risk score with Mr.Benny, inspired from certified risk frameworks

We at MrBenny believe that the core challenge in cybersecurity is prioritization: with limited resources, one must quickly identify which weaknesses are most likely to be exploited and cause harm. This is where a quantified security risk score becomes invaluable.

Security risk assessment frameworks like NIST, ISO 27005, and FAIR provide best practices for evaluating risk, but they don't always translate to an easy-to-understand number for day-to-day decision making. The challenge lies in quantifying diverse risk factors (asset importance, vulnerability severity, exploit likelihood, etc.) into a single actionable metric. MrBenny’s approach tackles this challenge head-on. Drawing inspiration from established frameworks, MrBenny computes a risk score (0 to 10) that encapsulates an organization’s security posture. More importantly, it pairs that score with concrete recommendations to reduce risk.

In this article, we’ll explore how MrBenny’s risk scoring algorithm works, how it echoes the principles of certified risk frameworks, and why it provides practical value for modern IT management.

Risk Assessment Frameworks

Before diving into MrBenny’s solution, it helps to briefly review the established risk assessment frameworks that inspired it.

NIST Cybersecurity Framework (CSF)

The NIST CSF is a widely adopted framework that provides a structured approach to cybersecurity risk management. It outlines five key core functions – Identify, Protect, Detect, Respond, and Recover – which serve as the pillars of a holistic security program​. Each function covers a broad set of outcomes; for example, Identify encompasses understanding your assets and risks, while Respond and Recover focus on taking action and restoring normal operations after incidents. . By following this framework, companies can ensure they are not overlooking critical areas of security when evaluating risk.

ISO/IEC 27005

ISO/IEC 27005 is an international standard dedicated to information security risk management. It provides guidelines on systematically identifying, analyzing, evaluating, and treating information security risks​. In practice, ISO 27005 walks organizations through a risk management process: identifying assets and potential threats, assessing the likelihood and impact of those threats, deciding on risk treatment (mitigation, acceptance, transfer, etc.), and monitoring the results. While ISO 27005 doesn’t mandate a specific scoring method, it establishes a disciplined approach to ensure no significant risk factor is ignored.

CVSS and EPSS (Common Vulnerability Scoring System & Exploit Prediction Scoring System)

When it comes to quantifying the risk of technical vulnerabilities, the industry often turns to CVSS and EPSS. The Common Vulnerability Scoring System (CVSS) provides a standardized severity score (ranging from 0 to 10) for known software vulnerabilities​. CVSS scores are calculated using a formula that considers multiple factors (attack complexity, required privileges, impact on confidentiality/integrity, etc.) to approximate how severe a vulnerability is if exploited​. Higher CVSS scores indicate more critical issues, and we display it in the MrBenny app.

However, CVSS by itself is not a direct measure of risk, because it doesn’t account for how likely a vulnerability is to be exploited or the context of the affected asset​. This is where Exploit Prediction Scoring System (EPSS) comes in. EPSS is a data-driven model that estimates the probability that a given vulnerability will be exploited in the wild. It produces a likelihood score (0 to 1, or 0% to 100%) based on real-world threat intel and past exploit trends, helping defenders differentiate which vulnerabilities are imminent threats​. In other words, CVSS tells you how bad a vulnerability could be, while EPSS tells you how likely it is to be attacked. MrBenny combines the two – using CVSS for severity and EPSS for exploitability – to prioritize remediation. 

FAIR Model (Factor Analysis of Information Risk)

The FAIR model offers a different perspective: it’s a quantitative risk analysis framework aimed at financial and business impact of cyber risks. FAIR provides a taxonomy of risk factors and a method to calculate risk in terms of probable frequency and probable loss magnitude of future events​. In essence, FAIR encourages organizations to estimate how often a given threat might materialize (e.g. a data breach) and how much it would cost if it did. By breaking risk into factors like threat event frequency, vulnerability, and impact, FAIR allows analysts to derive an expected loss (often expressed in monetary terms). This approach helps translate technical risk into the “language of business” – dollars and probabilities. 

While FAIR is comprehensive and quantitative in nature, it requires sufficient data and analysis effort. It’s excellent for deep risk assessments and comparing scenarios (for example, to justify investments by showing risk reduction in monetary terms).

Organizational risk - MrBenny’s mission

MrBenny’s security risk score algorithm was designed with established best practices in mind. It doesn’t reinvent risk assessment from scratch; rather, it encapsulates the core ideas of NIST, ISO, CVSS/EPSS, and FAIR into a single, actionable metric. It gives:

Holistic Coverage (Inspired by NIST CSF): MrBenny ensures that an organization’s security fundamentals are accounted for in the risk score. Much like NIST CSF’s Identify function, MrBenny checks if you have key elements in place – e.g. defined assets, network segments, and user accounts. If basic components are missing (no assets or employees recorded, etc.), the algorithm raises the risk score to highlight those gaps. This aligns with the NIST philosophy that you cannot protect what you haven’t identified. Moreover, the recommendations MrBenny provides for risk reduction echo the Respond and Recover functions of NIST CSF – they are specific actions to mitigate identified risks, ensuring the framework’s guidance to “take action” is realized in practice.

Systematic Risk Factors (Inspired by ISO/IEC 27005): Similar to ISO 27005’s guidance, MrBenny’s algorithm considers multiple risk factors in a structured way: the importance of the asset, the severity of the vulnerability, how long it’s been left unaddressed, and whether a fix is planned. This mirrors a risk management process – identify the issue (vulnerability), analyze its criticality (asset value and severity), evaluate how exposure increases over time (unpatched days), and decide on treatment (planned fix or not). By incorporating asset criticality and vulnerability age into the score, MrBenny reflects ISO 27005’s emphasis on context and timeliness. (ISO 27005 encourages ongoing monitoring of risks and prompt treatment of significant ones​ – MrBenny’s increases weight for aging unpatched issues is essentially a built-in monitoring alarm that says “this old issue is getting riskier by the day, handle it!”).

Quantitative Scoring of Technical Risk (Inspired by CVSS & EPSS): MrBenny’s risk score is fundamentally a quantitative metric, much like CVSS. In fact, it starts by leveraging CVSS scores for each vulnerability as a base. But crucially, it doesn’t stop there – it weights those scores by exploit likelihood (EPSS) to prioritize the vulnerabilities that are both severe and likely to be exploited​. This approach directly aligns with the security community’s best practices: raw severity (CVSS) is tempered by probability (EPSS) to yield a more realistic risk impact. If a vulnerability has a high CVSS of 9.0 but a very low EPSS (say 0.1% chance of exploit), MrBenny’s weighting will reduce its influence compared to a CVSS 8.0 vulnerability with a 50% exploit chance. In other words, MrBenny captures the CVSS+EPSS synergy automatically.

Prioritization and Risk Reduction Focus (Inspired by FAIR and others): While MrBenny’s output is a clear 0–10 score, under the hood it uses a risk formula that yields consistent and defensible results, akin to a lightweight FAIR model. FAIR deals in probabilities and impacts; MrBenny’s algorithm deals in likelihood (EPSS as probability) and severity (CVSS as impact). In effect, each vulnerability contributes to the overall score proportional to expected risk (severity * likelihood), which is very much in the spirit of FAIR’s quantitative risk analysis. Moreover, MrBenny provides “what-if” analysis through its recommendations: it calculates how the risk score would drop if certain vulnerabilities were fixed, analogous to how FAIR can model risk reduction. This bridges to the FAIR objective of making risk decisions based on quantified outcomes. Ultimately, MrBenny’s method yields a defensible risk score that can be explained in terms of concrete factors (for example, a high score can be traced to X number of critical, exploitable vulns on high-value assets), much like FAIR aims to produce defensible risk statements​

MrBenny’s algorithm stands on the shoulders of well-known frameworks yet delivers results in a practical, automated form. 

Dive into the details 

The goal is to boil down numerous security data points into a single number (0 to 10) that reflects the overall risk, while also flagging areas of improvement. Here is how the calculation works:

1. Calculate Weighted Risk per Asset/Vulnerability: For each IT asset in the organization, MrBenny looks at its known vulnerabilities and calculates a contribution to the overall risk. This is based on a weighted CVSS score. Specifically, MrBenny uses:
   
   • CVSS severity (mostly) 
   • Exploit Likelihood Weight (EPSS-based): A vulnerability with a higher EPSS (chance of exploit) gets a higher weight. 
   • Asset Criticality Weight: MrBenny recognizes that some assets are more critical to the organization (e.g., a production server vs. a lab machine).
   • Vulnerability Age Weight: The longer a vulnerability remains unpatched in your environment, the more risk it represents
   • Fix Planning Weight: MrBenny also considers whether the organization has acknowledged and planned to fix a vulnerability.
2. Compute the Average Assets Risk Score: Once each vulnerability’s weighted risk contribution is calculated, MrBenny derives an Average Asset Risk score across the entire organization. In simple terms, it sums up the “risk points” of all vulnerabilities and divides by the sum of all weights to get a normalized score​. 
   
   • If your organization has many high-severity, high-likelihood, long-open issues, this average will be high (approaching 10). 
   • If vulnerabilities are mostly low severity or quickly patched, the average will be lower. 
   • Notably, if no assets or vulnerabilities exist in the system at all, MrBenny defaults the risk score to a baseline  – representing a moderate inherent risk due to lack of visibility.
3. Add Organizational Posture Adjustments: MrBenny’s algorithm doesn’t stop at technical vulnerabilities. It also checks for security hygiene factors in the organization’s setup and adjusts the risk score accordingly:
   
   • Locations with no assets indicate a gap in asset tracking (perhaps forgotten devices or miscategorized assets).
   • No employees/users suggest poor oversight of insider risk or access control​
   • No permissions/roles suggests potential over-sights in identity and access management
4. Output the Score: After combining the weighted average risk and all adjustments, MrBenny arrives at a final Risk Score. The result is then reported as your organization’s risk level, often with a label (e.g., 10 = Critical risk, 5 = Moderate risk, etc.). The score gives a quantifiable snapshot of how vulnerable the organization is to likely attacks at that moment.
   
   
5. Actionable Insights follow: A risk score alone has limited value unless it tells you what to do. MrBenny’s solution shines by providing up to three prioritized recommendations along with the score. If one particular unpatched critical vulnerability is contributing, say, 3 points to the risk score, MrBenny will highlight that: “Fix vulnerability XYZ on Server1 to reduce the risk score by 3 (e.g., from 8.7 to 5.7).”
   
   
   
   
   

Benefits

Contextual and Dynamic Risk Evaluation: Unlike a once-a-year risk assessment, MrBenny’s score updates as your environment changes. It is dynamic – add a new asset with vulnerabilities, and the score will adjust;

Simplicity and Automation: MrBenny’s approach is making sophisticated risk analysis simple and automated.   In practical terms, MrBenny acts like an automated risk advisor, crunching the data and outputting a straightforward verdict. This not only saves time but also ensures consistency – the same inputs will yield the same risk evaluation every time, avoiding the subjectivity or oversight that sometimes occur in manual assessments. MrBenny helps organizations focus on what matters most.

The industry is heading towards risk-based security management and MrBenny  is a step in that direction. 

Ready to translate your cybersecurity data into actionable risk intelligence? It’s time to give MrBenny a try. To get started, simply integrate your asset and vulnerability data into MrBenny. The platform will automatically compute your initial risk score and highlight key recommendations (e.g. patch a critical server, update your asset inventory, assign proper roles to users). Use these insights as a roadmap to bolster your security. Over time, watch your risk score decline as your organization addresses weaknesses – a direct measure of improved security posture.

Embrace a smarter, quantifiable approach to risk management today with MrBenny here.