1. Log in to MDRAP.
2. On the MDRAP Home page, click on the Go to Assessments link or click on the Assessments tab in the navigation bar across the top of the page.
3. The list of assessments for your organization will be displayed.
4. Click the Advanced button to open the filtering set, including Product Code, Manufacturer, Location and Care Delivery Area, for all In Progress and Completed Assessment reporting pages.
5. Click on the View Results graphic icon (highlighted in yellow in the screenshot below) to view the Risk Scoring Results for the assessment of interest.
6. The Risk Scores graph will be displayed in a new window. Results graph scores are displayed with 2 decimal digits.
7. Each device is evaluated based on implementation and use of multiple security controls. A single aggregate score is generated for the device and displayed below the name of the device being assessed (i.e., Score: 16.55, highlighted in yellow in the screenshot above).
8. Attributes graphed include Impact (X-axis), Likelihood of Exploit (Y-axis), and Level of Effort (LOE) (size of ball) score for each Control Category. In addition to the graphic representation, the actual numeric results are also shown alongside each control category and statements (identified in Notes below the graph) highlight areas that contributed to raising the assessed risk for the Control Category based on the organization's answers to the MDISS Risk Assessment questons; these are potential security weaknesses for each Control Category.
9. Dimension Score Equations
Risk = AVG(Exposure(s), Effectiveness, Impact, Severity) x Threat Modifier
Likelihood = AVG(Exposure(s), Effectiveness) x Threat Modifier
LOE = Score Value from Level of Effort Question
To summarize, the MDISS Scoring Model (MSM) takes a completed MDISS Risk Assessment Questionnaire and creates three scores for each of 10 Control Categories. The computation starts at the question-level with points assigned to the answered questions. For each Control Category, the Scored Questions are then aggregated into "Score Components" that represent various aspects of risk for the Control Category. These include Control Effectiveness, Risk Exposure(s), Impact, Severity, Threat Modifier, and Level of Effort (LOE). The Score Components are then aggregated into the three top-level Dimension Scores (Risk, Likelihood, and Level of Effort). These Dimension Scores are then shown as a part of the Assessment Results within the MDRAP interface.
The Control Categories displayed, based on IEC 80001-1 Standards.
Level of Effort to Remediate (LOE)
This score ranges from 1 to 10 and is an estimate of the difficulty/cost to remediate any particular deficient control. It is based on multiple factors such as the willingness of the device manufacturer to perform the remediation as well as the complexity and cost of remediation. Note that some remediation can be done without the manufacturer's cooperation - often by adding external controls to reduce the attack surface (i.e., compensating controls).
This score ranges from 1 to 10 and represents the computed likelihood that a vulnerability within the Control Category will be exploited or that the control will fail.
Computed_Likelihood = (Exposure * Effectiveness * Experience_Modifier)/10
This score ranges from 1 to 10 and the size of each ball on the chart is an estimate of the overall Risk that a vulnerability within the Control Category will be exploited or that the control will fail. It represents in one number the Risk to the enterprise of a compromise of a particular control based on how the control is implemented (or not implemented), the impact to both the institution and the Information Technology (IT) department in remediation, and the likelihood of compromise.