2.16.2 Calculation of the assessment level in Security Diagnosis Reports

Security Diagnosis Reports display the results of calculating, analyzing, and diagnosing the outcome of judging the security status of devices. In addition to the total security assessment level, it displays the assessment levels for individual categories (such as the Antivirus Software status and the Security Settings status) and the transitions of assessment levels.

Security Diagnosis Reports display assessments in five levels (A to E). Level A is the safest, and Level E is the most unsafe. An assessment level is determined by the points for individual devices, which are based on the security judgment results. If all security judgment items are in Safe status for a device, the device will have 100 points. If some judgment items are not in Safe status, points will be deducted based on the judgment results for the security judgment items. Even if the average number of points is high, the assessment level will become low if one or more computers are in Critical status during the judgment period.

In Security Diagnosis Reports, an assessment level displayed in the Category Assessment Status area will become low if one or more computers are in Critical status, to let you consider countermeasures for items with low security status. On the other hand, an assessment level displayed in the Assessment and # of Target Trend is determined based on the average number of points for each category, to let you understand security status trends. For this reason, the assessment levels might be different between Category Assessment Status and Assessment and # of Target Trend.

The following table lists the points that are to be deducted for individual violation levels.

Violation level	Deduction points
Critical	25
Important	16
Warning	6
Safe	0

Note that points are not deducted when a judgment error occurs, judgment items are missing, or there is not enough information for security judgment.

The following table lists the criteria for the total security assessment level.

Assessment level	Average points	Minimum points	Violation level in the judgment results	Category assessment level
A	90 to 100	90 to 100	No Critical and Important levels	Level A only
B	80 to 89	80 to 89	No Critical levels	Level A and B only
C	65 to 79	50 to 79	No Critical levels	Level A to D only
D	50 to 64	Not defined.	Not defined.	Not defined.
E	0 to 49	Not defined.	Not defined.	Not defined.

For example, assume that the average number of points is 95 (which corresponds to level A), the minimum number of points is 87 (which corresponds to level B), the violation level in the judgment results is "No Critical and Important levels" (which corresponds to level A), and the category assessment level is "Level A and B only" (which corresponds to level B). In this case, the total security assessment level becomes level B. Thus, the lowest assessment level among the above four items ("Average points", "Minimum points", "Violation level in the judgment results", and "Category assessment level") will become the total security assessment level.

The following table lists the criteria of the category assessment levels.

Assessment level	Average points	Minimum points	Violation level in the judgment results
A	90 to 100	90 to 100	No Critical and Important levels
B	80 to 89	80 to 89	No Critical levels
C	65 to 79	50 to 79	No Critical levels
D	50 to 64	Not defined.	Not defined.
E	0 to 49	Not defined.	Not defined.

For example, assume that the average number of points is 95 (which corresponds to level A), the minimum number of points is 87 (which corresponds to level B), and the violation level in the judgment results is "No Critical and Important levels" (which corresponds to level A). In this case, the category assessment level becomes level B. Thus, the lowest assessment level among the above three items ("Average points", "Minimum points", and "Violation level in the judgment results") will become the category assessment level.

To Page Top