How Risk Reduction Is Calculated
Risk Reduction is the exact improvement to your Space Risk Score that you'd get by fixing a single finding everywhere it appears. Mondoo uses it to rank the 30 fixes in your Top Actions list.
The calculation is two steps:
Step 1: Total the finding's risk across the space
Sum the finding's risk score on every asset where it appears. Because the goal is to drive each contribution to 0, the current score itself is the improvement available.
Example. CVE-2023-1234 affects three assets:
| Asset | Current risk score | Improvement available |
|---|---|---|
| A | 90 | 90 |
| B | 80 | 80 |
| C | 90 | 90 |
Total potential improvement: 90 + 80 + 90 = 260 points.
Step 2: Divide by the total findings in the space
To express the improvement as an impact on the Space Risk Score (which averages across all findings), divide by the total number of findings:
Risk Reduction = (total potential improvement) ÷ (total findings in the space)
Continuing the example. If the space has 5,000 total findings:
- Risk Reduction:
260 ÷ 5000 = 0.052
Fixing CVE-2023-1234 everywhere lowers the Space Risk Score by 0.052 points. Mondoo sorts every finding by Risk Reduction and surfaces the top 30 as your Top Actions.