performing-asset-criticality-scoring-for-vulns

Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based on business impact, data sensitivity, and operational importance.

16 stars

Best use case

performing-asset-criticality-scoring-for-vulns is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based on business impact, data sensitivity, and operational importance.

Teams using performing-asset-criticality-scoring-for-vulns should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md --create-dirs "https://raw.githubusercontent.com/plurigrid/asi/main/plugins/asi/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/performing-asset-criticality-scoring-for-vulns/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How performing-asset-criticality-scoring-for-vulns Compares

Feature / Agentperforming-asset-criticality-scoring-for-vulnsStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Develop and apply a multi-factor asset criticality scoring model to weight vulnerability prioritization based on business impact, data sensitivity, and operational importance.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Performing Asset Criticality Scoring for Vulns

## Overview
Asset criticality scoring assigns a business impact rating to each IT asset so that vulnerability remediation efforts focus on systems with the greatest organizational risk. Without criticality context, a CVSS 9.0 vulnerability on a test server receives the same urgency as the same vulnerability on a payment processing database. This skill covers building a multi-factor scoring model incorporating data sensitivity, business function dependency, regulatory scope, network exposure, and recoverability to create a 1-5 criticality tier that directly modifies vulnerability remediation SLAs.


## When to Use

- When conducting security assessments that involve performing asset criticality scoring for vulns
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites
- Configuration Management Database (CMDB) or asset inventory
- Business Impact Analysis (BIA) data
- Data classification policy
- Network architecture documentation
- Stakeholder input from business unit owners

## Core Concepts

### Asset Criticality Scoring Model

| Factor | Weight | Score Range | Description |
|--------|--------|-------------|-------------|
| Business Function Impact | 25% | 1-5 | How critical is the supported business process |
| Data Sensitivity | 25% | 1-5 | Type and sensitivity of data processed/stored |
| Regulatory Scope | 15% | 1-5 | Regulatory requirements (PCI, HIPAA, SOX) |
| Network Exposure | 15% | 1-5 | Internet-facing vs internal-only |
| Recoverability | 10% | 1-5 | RTO/RPO requirements, DR capability |
| User Population | 10% | 1-5 | Number of users/customers affected |

### Criticality Tier Definitions

| Tier | Score Range | Label | SLA Modifier | Examples |
|------|------------|-------|-------------|---------|
| 1 | 4.5-5.0 | Crown Jewels | -50% SLA | Domain controllers, payment systems, ERP |
| 2 | 3.5-4.4 | High Value | -25% SLA | Email servers, HR systems, CI/CD |
| 3 | 2.5-3.4 | Standard | Baseline SLA | Internal apps, file servers |
| 4 | 1.5-2.4 | Low Impact | +25% SLA | Test environments, printers |
| 5 | 1.0-1.4 | Minimal | +50% SLA | Decommissioning, isolated labs |

### Data Sensitivity Scoring

| Score | Classification | Examples |
|-------|---------------|---------|
| 5 | Restricted/Secret | PII, PHI, payment card data, trade secrets |
| 4 | Confidential | Financial reports, HR records, source code |
| 3 | Internal | Internal documents, policies, project files |
| 2 | Semi-public | Marketing materials, press releases (draft) |
| 1 | Public | Published content, public APIs |

## Workflow

### Step 1: Define Scoring Criteria

```python
class AssetCriticalityScorer:
    """Multi-factor asset criticality scoring engine."""

    WEIGHTS = {
        "business_function": 0.25,
        "data_sensitivity": 0.25,
        "regulatory_scope": 0.15,
        "network_exposure": 0.15,
        "recoverability": 0.10,
        "user_population": 0.10,
    }

    TIER_THRESHOLDS = [
        (4.5, 1, "Crown Jewels", -0.50),
        (3.5, 2, "High Value", -0.25),
        (2.5, 3, "Standard", 0.00),
        (1.5, 4, "Low Impact", 0.25),
        (1.0, 5, "Minimal", 0.50),
    ]

    def score_asset(self, asset):
        """Calculate criticality score for an asset."""
        weighted_score = sum(
            asset.get(factor, 3) * weight
            for factor, weight in self.WEIGHTS.items()
        )
        score = round(weighted_score, 2)

        for threshold, tier, label, sla_mod in self.TIER_THRESHOLDS:
            if score >= threshold:
                return {
                    "score": score,
                    "tier": tier,
                    "label": label,
                    "sla_modifier": sla_mod,
                }
        return {"score": score, "tier": 5, "label": "Minimal", "sla_modifier": 0.50}

    def adjust_vuln_sla(self, base_sla_days, asset_tier_data):
        """Adjust vulnerability SLA based on asset criticality."""
        modifier = asset_tier_data["sla_modifier"]
        adjusted = int(base_sla_days * (1 + modifier))
        return max(1, adjusted)  # Minimum 1 day SLA
```

### Step 2: Integrate with Vulnerability Prioritization

```python
def apply_criticality_to_vulns(vulns_df, asset_scores):
    """Enrich vulnerability data with asset criticality context."""
    for idx, vuln in vulns_df.iterrows():
        asset_id = vuln.get("asset_id", "")
        asset_data = asset_scores.get(asset_id, {"tier": 3, "sla_modifier": 0})

        vulns_df.at[idx, "asset_tier"] = asset_data["tier"]
        vulns_df.at[idx, "asset_label"] = asset_data.get("label", "Standard")

        base_sla = get_base_sla(vuln["severity"])
        adjusted_sla = int(base_sla * (1 + asset_data["sla_modifier"]))
        vulns_df.at[idx, "adjusted_sla_days"] = max(1, adjusted_sla)

    return vulns_df
```

## Best Practices
1. Involve business stakeholders in criticality scoring; IT alone cannot assess business impact
2. Review and update criticality scores at least quarterly or when systems change roles
3. Automate scoring where possible using CMDB tags and data classification labels
4. Apply criticality tiers to vulnerability SLAs for risk-proportional remediation
5. Validate scoring against actual incident impact data to calibrate the model
6. Start with a simple 3-tier model before expanding to 5 tiers

## Common Pitfalls
- Classifying all assets as "critical" which defeats the purpose of tiering
- Not updating criticality scores when systems are repurposed or decommissioned
- Using only technical factors without business context
- Applying uniform SLAs regardless of asset importance
- Not documenting the scoring methodology for audit and consistency

## Related Skills
- performing-cve-prioritization-with-kev-catalog
- building-vulnerability-aging-and-sla-tracking
- performing-business-impact-analysis
- implementing-asset-management-program

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.