How We Rank Risks: Dollars at Stake, Not CVSS

Jeff Sowell · 2026-04-21 · Risk Management

CVSS ranks risks by how loud the scanner is. A real CISO decision-engine ranks by how much business value is at stake. Here's the formula we use and why it changes which risk ends up at the top of the queue.

Why CVSS is the wrong top-of-queue ranking signal

Here's the conversation every security leader has had with a CEO at least once.

CEO: "What's the most important thing we're working on right now?"

CISO: "The Log4j CVE — it's critical severity."

CEO: "OK, but what does it threaten?"

CISO: "…"

The pause is the problem. CVSS — the Common Vulnerability Scoring System — answers the question *how severe is this vulnerability if exploited* in isolation. It does not answer *what business value is this risk threatening*. Those are different questions, and for top-of-queue decisions, only the second one is useful.

This is the gap our prioritization engine closes. Your top risk isn't the one with the highest CVSS. It's the one burning the most business value per hour that it remains unresolved.

The formula

$\`priority\\_score = technical\\_score × asset\\_multiplier × revenue\\_multiplier × breach\\_multiplier\`$

Four inputs. Each answers a question that matters:

1. Technical score — *how severe is the risk if realized?* Standard 4×4 impact × likelihood (0-25), the number every risk register already has.

2. Asset multiplier — *what does this risk touch?* Weighted by the criticality tier of linked assets: Critical = 2.0x, High = 1.7x, Medium = 1.4x, Low = 1.1x, None = 1.0x. A risk touching a critical revenue-generating asset is more urgent than an identical-severity risk touching a dev sandbox.

3. Revenue multiplier — *what's the dollar impact per hour of exposure?* Log-scaled with diminishing returns, capped at 2.0x. \`$1K/hr ≈ +7%\`, \`$10K/hr ≈ +23%\`, \`$100K/hr ≈ +46%\`, \`$1M/hr ≈ +69%\`. We cap it so revenue can't dominate technical severity — a risk with no technical substance shouldn't rank high just because it touches a revenue-heavy process.

4. Breach multiplier — *is the clock already ticking?* 1.0 baseline + 0.15 per breached mitigation task + 0.3 if any task hit the executive-escalation level. Capped at 2.0x. SLA failure on a risk lifts it in the queue because unresolved urgency compounds.

The product of all four gives a score that ranges from 0 (no risk) to roughly 100 for the worst-case: a critical-severity risk touching critical assets that threaten millions in revenue and has tasks breached past executive escalation.

The same inputs, a different answer

Take two risks, real shapes you'd see on any risk register:

Risk A — Classic CVSS winner

- Severity: Critical CVE in a web framework. \`technical_score = 20\`

- Linked assets: none specified

- Linked business processes: none

- Mitigation tasks: on track, no breaches

Under CVSS, this is your #1 — score 10.0, category "Critical."

Priority score: \`20 × 1.0 × 1.0 × 1.0 = 20.0\`

Risk B — What actually matters

- Severity: High CVE on an API server. \`technical_score = 15\`

- Linked asset: Stripe payment gateway, criticality = critical (\`asset_mult = 2.0\`)

- Linked business process: Stripe payments flow, \`revenue_impact_per_hour = $12,000\` (\`revenue_mult = 1.23\`)

- Miti