# Risk Level

The Risk Level (or RL) has the following properties:

* Issues with ***info*** and ***muted*** severity are **ignored** by the risk level calculation. They are just informative, and have no effect on the risk.
* A **single critical issue** makes the RL fall in the **high risk range** *RL ≥ Ch*; similarly, a **single high severity issue** makes the RL fall in the **moderate risk range** *RL ≥ Cl*.  In accordance with the principle that "*a chain is as strong as its weakest link*," this holds true for issues within a project.
* **Monotonicity**: RL should increase when (non-info) issues are added. RL should NOT INCREASE when a single issue is removed. In other terms: if A1 and A2 are sets of issues with *A1 ⊆ A2,* then *RL(A1) ≤ RL(A2)*.

  Also, if an issue changes to a higher severity, the RL should increase: more severe issues imply higher risk.
* **No issues, No Risk**: RL(∅) = 0. When no issues were detected *but analyses were run*, the risk level is 0. *Note: When no analysis is available for a project, then RL is undefined, NOT zero.*
* **Averaged risk**: For convenience, the RL for a group of projects, or for the organization could be computed using a weighted average on the RL of the projects.

{% hint style="info" %}
Note that the RL for a group of projects, defined as weighted average of the RL for each project in the group, means that the RL for the group is in the range \[0, 100], and it is a linear function of the RL of the individual projects.
{% endhint %}

### Configuration <a href="#configuration" id="configuration"></a>

The relative weights for each issue type and severity, and the weight of each project in the global risk for the organization or project can be modified in the `xygeni.risk-level.yml` configuration file.

The cutoff values for each risk category can be configured as well:

```yaml
# Configuration for risk level

# Weights for each issue kind and severity level
#
# Each array is the weight for issues of the given kind,
# with critical, high and low severity, respectively.
weights:
  misconfiguration:    [3, 2, 1]
  suspect_dependency:  [3, 2, 1]
  secret:              [3, 2, 1]
  iac_flaw:            [3, 2, 1]
  unusual_activity:    [3, 2, 1]
  code_tampering:      [3, 2, 1]
  sca_vulnerability:   [3, 2, 1]

# Cutoff values for each risk category [c_low, c_high]
#
# high risk, when risk level >= c_high
# moderate risk, when risk level in the [c_low, c_high) interval
# low risk, when risk level < c_low
#
# c_low must be lower than c_high, and both in the range (0, 100)
cutoff: [33.33, 66.66]

# The factor for normalizing the weighted count of issues
# into the risk range. Approximately the average
steepness: 0.00666

# Weight for risk level aggregation across projects.
# The business value project property is used for selecting the weight.
project_weights:
  critical:  4
  high:      3
  medium:    2
  low:       1
```