⇤ How is the Diligence Risk Category Calculated?
The Desktop Software risk vector assesses the supported or unsupported status of the software version. The usage of desktop software is not required to improve an organization’s cyber security posture.
Grading of this risk vector is based on the estimated number of users. Each finding in this risk vector can be associated with one or more estimated users.
Concept | Behavior |
A default risk vector grade is assigned. |
This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 65 Days There’s a grace period of 28 days for validating and updating software packages. See finding behavior. |
Percentage (out of 70.5% in Diligence): 3% |
Finding Grading
The operating system (OS) and browser are graded independently from one another based on their support status. The finding grade is calculated from a combination of the OS and browser grades.
There is a grace period of 28 days to allow for validating and updating software packages.
- During the grace period, findings have a FAIR grade.
- FAIR findings for this risk vector do not have an impact on the rating.
- Findings observed after the end of the grace period and less than 365 days after the end of support have a WARN grade.
See the following resources for more information:
- Graded Desktop Software Operating Systems
- Graded Desktop Software Browsers
- OS & Browser Version Evaluation
- Software Support Life Cycle & End-of-Life Policy
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- January 4, 2024: Clarified conditions for N/A risk vector grade.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Please sign in to leave a comment.