How does ServiceNow differentiate between 'Low', 'Medium', and 'High' risks?

ServiceNow differentiates between 'Low', 'Medium', and 'High' risks by analyzing the potential impact and exploitability of vulnerabilities. This approach involves a systematic assessment of how a vulnerability could affect an organization's assets if exploited and the likelihood of that exploitation occurring.

By evaluating both the severity of the vulnerability (impact) and the ease with which it could be exploited (exploitability), ServiceNow assigns a risk level to each vulnerability. For instance, a vulnerability may be deemed 'High' risk if it has the potential to cause significant harm and is easily exploitable, while a 'Low' risk vulnerability might have a limited impact or be difficult to exploit. This method ensures that organizations can prioritize remediation efforts effectively based on actual threat potential, allowing for a more strategic allocation of resources to manage risks.

Other approaches such as conducting user surveys, assessing regulatory compliance, or vendor assessments may provide useful context or additional insights but do not directly relate to the core risk assessment framework that evaluates threats based on impact and exploitability.