Change a Policy's Scoring System within a Space
Change the scoring system Mondoo uses to evaluate assets against a policy
Mondoo combines the checks an asset passes and fails into a single 0-100 risk score (higher = more risk). The way Mondoo combines those results into a score is the policy's scoring system. To learn how the score is built and how the bands work, read How Mondoo Calculates Risk Scores.
You can change which scoring system Mondoo uses for any policy in a space, without affecting the same policy in other spaces.
Check impact
Not every check in a policy is equally important. Each check has an impact in one of four bands: Critical, High, Medium, or Low. Impact represents how much an asset's vulnerability increases when the check fails.
For example, the AWS check "Ensure Redshift clusters are not publicly accessible" is critical-impact because a publicly accessible cluster is a potential entry point for attack. By contrast, "Ensure IAM groups are utilized by assigning at least one user" is low-impact because empty IAM groups don't materially increase an asset's vulnerability.
Every Mondoo scoring system uses check impact when calculating an asset's score. The systems differ in how they weight failures.
Scoring systems
| Scoring system | How it works | When to choose it |
|---|---|---|
| Banded | Drops the score quickly as critical-impact checks fail, accounts for high- and medium-impact failures, and guarantees a minimum score when no critical or high checks fail. | Recommended for most customers. Best general-purpose balance of accuracy and stability. |
| Decayed | Lowers the score on a curve, in proportion to its current value. Reacts strongly to critical findings without crashing to zero as more checks fail. | Risk-averse teams that want a steeper response to critical findings. |
| Highest impact | Looks only at the highest-impact band of checks. If any check at that impact fails, the asset's risk score is Critical. | Teams with a single hard line: any critical-impact failure is unacceptable. |
| Average | Scores based on the percentage of checks passed and failed, weighted by impact. Can leave a relatively healthy score even when several critical checks fail. | Optimistic, summary-style view. Less responsive to fixing individual issues. |
| Weighted average | Like Average, but also accounts for the per-check weight set in the policy. Checks with higher weight pull the score more. | Policies that need finer per-check influence than impact alone provides. |
For the underlying math, read the Policy Authoring Guide | Score Policies.
Change a policy's scoring system within a space
Every policy ships with a default scoring system encoded in the policy. You can override the default in a space without affecting the policy elsewhere.
For example, if an Azure policy defaults to Highest impact and that doesn't reflect the security improvements you're making in your Cloud Operations space, switch that policy to Banded in that space only.
Note: Only team members with Editor or Owner access can perform this task.{" "}
-
In the Mondoo Console, navigate to the space in which you want to change a policy's scoring system.
-
In the side navigation bar, under Findings, select Policies.
-
Select the policy you want to customize.
-
At the top of the page, select the scales icon.
The Score weighting control displays.
-
In the Score by drop-down list, select the scoring system to use for the policy in this space.
The change takes effect immediately. The next time Mondoo scans applicable assets in the space, it uses the new scoring system.
Change Check Properties
Change the values Mondoo uses to assess your infrastructure
Customize Risk Factors
Mondoo considers multiple contextual risk factors when evaluating the security of your assets. To customize per your business's security priorities, you can choose which contextual risk factors affect your assets' scores. You can also choose tags, labels, and annotations that affect risk scores.