How is the Insecure Systems Risk Vector Assessed? Ingrid ⇤ How is the Diligence Risk Category Calculated?The Insecure Systems risk vector assessment is based on the supported/unsupported status and the level of risk that has been introduced to an organization. Concept Behavior Insufficient Data A default risk vector grade is assigned. Default: The rating is positively impacted if there are no findings for this risk vector. Lifetime The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. Duration: 60 Days Weight Percentage (out of 70.5% in Diligence): 2.5% EvaluationInsecure Systems findings are evaluated as WARN, BAD, or NEUTRAL. An overall letter grade is calculated, using the evaluations of individual findings. Software versions that cannot be determined or are unsupported, but still receive security fixes are evaluated as “NEUTRAL.” These items do not affect the Insecure Systems grade, but should be resolved.See finding messages: WARN BAD NEUTRAL December 21, 2025: Updated language to align with product updates. March 25, 2024: “No findings/low findings” changed to “insufficient data.” December 12, 2023: Linked to no findings definition. December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section. Related articles Insecure System Finding Messages Insecure Systems Risk Vector What is a Finding Rescan? How is the Server Software Risk Vector Assessed? How is the Diligence Risk Category Calculated? Feedback 0 comments Please sign in to leave a comment.