Scoring Methods
Scoring methods define how questionnaire responses are converted into numerical risk scores. Each method uses a configurable formula that can weight questions, sections, and apply custom logic to calculate a final residual risk score on a 0–100 scale.
How scoring works
The calculation follows three steps: for each applicable question, the response score is retrieved and multiplied by the question weight (if enabled). Scores are then grouped by section and multiplied by section weights. Finally, all sections are summed and normalized to a 0–100 range.
Higher scores indicate higher risk.
Creating a scoring method
Navigate to Scoring Methods (from the vendor risk dashboard or Settings → Vendor Risk → Scoring Methods) and click Create Scoring Method.
| Field | Description |
|---|---|
| Name | Descriptive name (e.g., “Standard Vendor Risk Scoring”) |
| Description | When and how to use this method |
| Set as Default | Make this the default for new assessments (only one default at a time) |
Formula configuration
Scoring formulas are defined in JSON with three optional parameters:
sectionWeights — An object mapping section names to weight multipliers. Sections not listed default to 1.0. Use higher values (e.g., 2.0) for critical sections like Data Protection.
questionWeightMultiplier — Boolean. When true, individual question weights are multiplied with section weights. When false, only section weights apply.
maxScore / minScore — Optional bounds for the final score. Defaults to 0–100.
Example formulas
Simple weighted average — uses question weights only:
{
"questionWeightMultiplier": true,
"maxScore": 100
}Section-weighted — emphasizes critical security domains:
{
"sectionWeights": {
"Data Protection": 2.0,
"Security Governance": 1.5,
"Incident Response": 1.0
},
"questionWeightMultiplier": false,
"maxScore": 100
}Score interpretation
The residual risk score maps to risk levels through the same thresholds used elsewhere in SecureHive. The assessment detail page displays the residual risk score, risk level, absolute risk reduction (inherent minus residual), and percentage reduction.
Only questions marked “Applicable” or “Partially Applicable” during analyst review contribute to the score. “Not Applicable” questions are excluded entirely.
Best practices
Start with a simple equal-weight formula and refine based on results. Weight sections that are most critical to your risk profile more heavily (data protection, access control). Test new scoring methods with sample assessments before making them the default. Use the description field to document when each method should be used and why specific weights were chosen.