Risk Scoring System - High-Level Design

Audience: Technical Teams, Management, Product Owners\nReading Time: 10 minutes\nLast Updated: November 12, 2025

🎯 The Big Picture

Imagine your organization's security as a living, breathing organism. Every security event—a detected threat, a resolved incident, a new vulnerability—affects its health. But how do you measure this health in real-time? How do you communicate "Are we secure?" in a single glance?

Enter the Risk Scoring System: A self-updating "credit score" for your security posture that transforms thousands of security events into one meaningful number.

🧠 Core Philosophy: Event-Driven Intelligence

The system operates on a simple but powerful principle:

"Every security event tells a story. We listen, calculate, and update—automatically."

No manual spreadsheets. No weekly reports. No guesswork. Just real-time, data-driven security metrics.

🏗️ Architecture at a Glance

Think of the system as a three-layer cake:

┌─────────────────────────────────────┐
│     🎨 PRESENTATION LAYER           │
│  (What users see and interact with) │
├─────────────────────────────────────┤
│     🧮 COMPUTATION LAYER            │
│   (Where the math magic happens)    │
├─────────────────────────────────────┤
│     📊 DATA LAYER                   │
│   (Event streams & persistence)     │
└─────────────────────────────────────┘

Layer 1: Data Layer (The Foundation)

What happens here: Every security action—detection created, incident resolved, vulnerability patched—gets logged as an audit event.

Technical Detail: These events stream through our EventLog system in real-time. Think of it as a river of security activity flowing 24/7.

Example Event:

"A new phishing detection was classified"
↓
Event: monitor.DETECTION_INTELLIGENT_CLASSIFICATION_COMPLETED

Entity: DDT-C321-7071-4519

Timestamp: 2025-11-12 14:23:45

Layer 2: Computation Layer (The Brain)

What happens here: The system watches the event stream, recognizes important events, and automatically calculates score impacts.

The Flow:

📨 Event arrives
    ↓
🎯 Match event to modules
    ↓
🧮 Calculate score change
    ↓
💾 Update module scores
    ↓
🌍 Recalculate global score
    ↓
✅ Done (in milliseconds!)

Key Components:

1. Module Definitions (The Categories)

Security is divided into meaningful areas:

• 🛡️ Attack Surface Management - Your exposed assets and vulnerabilities
• 🎭 Brand Protection - Phishing, domain squatting, reputation threats
• 📋 Compliance - Policy violations, audit findings
• 🔍 Threat Intelligence - Active threats, indicators of compromise

Each module "listens" for specific events using triggers.

2. Configuration Engine (The Rulebook)

This is where organizations customize their scoring:

• Weights: "Attack Surface matters 40%, Brand Protection 35%, Compliance 25%"
• Formulas: Optional advanced math for complex scoring scenarios
• Module Selection: Choose which areas to monitor

Real-World Example:

Organization: FinTech Startup

Priority: Compliance is critical (regulated industry)

Configuration:
- Attack Surface: 30%
- Brand Protection: 20%
- Compliance: 50%  ← Heavily weighted!

3. Score Calculator (The Math Engine)

When an event occurs:

1. Find affected modules - "This detection affects ASM and Threat Intel"
2. Calculate impact - "ASM: -2 points, Threat Intel: -1.5 points"
3. Update module scores - "ASM: 85 → 83, Threat Intel: 90 → 88.5"
4. Recalculate global - "Global: 87.5 → 85.8" (weighted average)

The Math (Simplified):

Global Score = (ASM × 40%) + (Brand × 35%) + (Compliance × 25%)
             = (83 × 0.40) + (90 × 0.35) + (95 × 0.25)
             = 33.2 + 31.5 + 23.75
             = 88.45 ✨

Layer 3: Presentation Layer (The Experience)

What happens here: All this computation becomes beautiful, actionable visualizations.

🎨 The Dashboard

Central Feature: A shield-shaped gauge showing your global score with animated water fill:

        ___
       /   \
      |  87 |  ← Your score (animated!)
       \___/

    🟢 Excellent

Color Psychology:

• 80-100 (Green) - "Excellent" - Sleep well tonight
• 60-79 (Green) - "Good" - Solid, minor improvements needed
• 40-59 (Amber) - "Fair" - Time to take action
• 0-39 (Red) - "Needs Attention" - All hands on deck!

📊 Real-Time Updates

User Experience:

1. Security analyst triages a detection
2. Within 2-3 seconds, the dashboard refreshes
3. Module score updates with smooth animation
4. Global score recalculates automatically
5. Change appears in "Recent Activity" feed

No refresh button needed. It just works.

🔄 The Complete Journey: Event to Dashboard

Let's follow a real security event through the entire system:

🎬 Act 1: The Event

10:45 AM - A security analyst classifies a new phishing detection as "High Severity"

Audit Log Created:
├─ Action: monitor.DETECTION_INTELLIGENT_CLASSIFICATION_COMPLETED
├─ Entity: DDT-C321-7071-4519 (the detection)
├─ Severity: HIGH
└─ Timestamp: 2025-11-12 10:45:23

🎬 Act 2: The Recognition

10:45:23.001 - EventScoringProvider wakes up

🤖 "I heard that! Let me check my triggers..."

Trigger Match Found:
✓ DETECTION_INTELLIGENT_CLASSIFICATION_COMPLETED

Affected Modules:
├─ Attack Surface Management (multiplier: -2.0)
└─ Threat Intelligence (multiplier: -1.5)

🎬 Act 3: The Calculation

10:45:23.015 - Score updates begin

Module Updates:
┌─────────────────────┬─────┬─────┬────────┐
│ Module              │ Was │ Now │ Change │
├─────────────────────┼─────┼─────┼────────┤
│ Attack Surface      │ 85  │ 83  │ -2.0   │
│ Threat Intelligence │ 90  │ 88.5│ -1.5   │
│ Brand Protection    │ 92  │ 92  │ (no change)
│ Compliance          │ 95  │ 95  │ (no change)
└─────────────────────┴─────┴─────┴────────┘

Global Recalculation:
Old: (85×40%) + (90×35%) + (92×15%) + (95×10%) = 88.8

New: (83×40%) + (88.5×35%) + (92×15%) + (95×10%) = 87.475

Final: 87.48 (rounded to 2 decimals)

🎬 Act 4: The Visualization

10:45:23.120 - Dashboard updates (105ms total latency!)

User sees:
├─ Shield gauge animates from 88.8 → 87.5
├─ Module cards update with smooth transitions
├─ "Recent Changes" shows new entry:
│   "Attack Surface: 85 → 83 (Detection classified)"
└─ Trend chart adds new data point

Total time from event to visual update: ~105 milliseconds ⚡

🎛️ Configuration Flexibility

For the Non-Technical Administrator

Quick Setup Wizard (5 minutes):

1. ✅ Select modules from templates
2. 🎚️ Adjust weight sliders (must total 100%)
3. 👁️ Preview score impact
4. 💾 Save and go live!

For the Technical Power User

Advanced Options:

• 🧮 Custom Formulas - severity × confidence × 0.5 + threatLevel
• 🎯 Custom Triggers - Map any audit log action to any module
• 📊 Multiple Configurations - Different scoring for different teams
• 🔌 API Access - 55+ endpoints for integration

📈 Real-World Scenarios

Scenario 1: Security Team Dashboard (Morning Standup)

9:00 AM - Team lead opens dashboard:

🟢 Global Score: 87 (Excellent)

Module Breakdown:
├─ 🛡️ Attack Surface: 85 ↓ (2 new vulnerabilities)
├─ 🎭 Brand Protection: 92 ↑ (phishing domains taken down)
├─ 📋 Compliance: 88 → (no change)
└─ 🔍 Threat Intelligence: 84 ↓ (3 new IOCs detected)

🎯 Action Items:
"Focus on Attack Surface today - score trending down"

Decision made in 30 seconds.

Scenario 2: Executive Board Meeting

CEO: "How's our security posture?"\nCISO: Opens dashboard "We're at 87—Excellent range. Up from 82 last quarter."

📊 Trend (90 days):
    90 ┤     ╭───╮
    85 ┤   ╭─╯   ╰─╮  ← We are here
    80 ┤───╯        ╰──
       └─────────────────
       Aug  Sep  Oct  Nov

✅ 5-point improvement
✅ Above industry average (75)
✅ Zero critical incidents this quarter

Board confidence: High. Meeting: Successful.

Scenario 3: Compliance Audit

Auditor: "Show me evidence of continuous security monitoring."

Security Officer: Exports audit trail

📋 Score Change History (Last 30 Days)
┌────────────┬────────┬─────┬─────┬──────────────┐
│ Date       │ Module │ Old │ New │ Reason       │
├────────────┼────────┼─────┼─────┼──────────────┤
│ 2025-11-12 │ ASM    │ 85  │ 87  │ Vuln patched │
│ 2025-11-11 │ Brand  │ 88  │ 92  │ Domain fixed │
│ 2025-11-10 │ TI     │ 90  │ 88  │ IOC detected │
└────────────┴────────┴─────┴─────┴──────────────┘

✅ Complete audit trail
✅ Automated tracking
✅ Compliance requirement: MET

🔒 Data Integrity & Security

Audit Trail Everything

Every score change is logged:

• Who/what caused it
• When it happened
• Old value → New value
• Associated security event
• Automatic (no human intervention needed)

Score Boundaries

Automatic safeguards:

• Scores clamped to 0-100 range
• Invalid formulas rejected before saving
• Weight validation (must sum to 100%)
• No arbitrary code execution in formulas

Organization Isolation

Multi-tenant safety:

• Scores scoped to organizations
• No cross-org data leakage
• Configuration per organization
• Independent module definitions

🚀 Performance & Scalability

Real-Time at Scale

Current Performance:

• ⚡ Event processing: <100ms average
• 📊 Dashboard load: <500ms
• 🔄 Score updates: Near-instant (2-3 seconds to UI)
• 💾 Audit log storage: MongoDB (horizontally scalable)

Optimization Techniques:

• Batch module updates before global calculation
• Skip redundant recalculations
• Efficient database indexing
• Reactive UI updates (no polling)

Future-Proof Architecture

Easy to extend:

• ✅ Add new modules without code changes
• ✅ Create new formulas through UI
• ✅ Adjust weights on the fly
• ✅ Deploy multiple scoring systems (security, compliance, SLA, etc.)

🎓 Key Takeaways

For Management

✅ One number tells the whole story - No need to parse complex reports\n✅ Automatic and real-time - Always up-to-date without manual work\n✅ Data-driven decisions - Prioritize based on quantifiable impact\n✅ Audit-ready - Complete history of all changes

For Security Teams

✅ Actionable insights - Know exactly what needs attention\n✅ Trend visibility - See if you're improving or declining\n✅ Event correlation - Understand what affects your score\n✅ Customizable - Match your organization's priorities

For Technical Teams

✅ Event-driven architecture - Scalable and maintainable\n✅ API-first design - Easy integration with other tools\n✅ Formula engine - Flexible scoring logic\n✅ Complete audit trail - Full traceability in audit logs

🎯 The Bottom Line

Traditional approach:

Manually review alerts → Compile reports → Present findings
⏱️ Time: Hours/Days | 📉 Accuracy: Subjective | 🔄 Update frequency: Weekly

Risk Scoring System:

Events happen → Scores update → Dashboard shows status
⏱️ Time: Seconds | 📊 Accuracy: Calculated | 🔄 Update frequency: Real-time

Result: Transform security posture from a quarterly report into a living, breathing metric that guides daily decisions.

📚 Want to Learn More?

• For Customer: See http://localhost:3000/dev/org-control/risk-configuration?tab=documentation
• For CX Teams: See https://docs.tik.one/doc/scoring-cx-team-guide-nwz1d9gC5v
• For Testers: See https://docs.tik.one/doc/scoring-test-cases-PrLchaPw0t
• For Developers: See https://lab.tik.co/uni/hunto/app/-/issues/1432

🎬 Ready to Get Started?

5-Minute Quick Start:

1. Navigate to /dev/org-control/risk-configuration
2. Click "Quick Setup Wizard"
3. Select modules and adjust weights
4. Save configuration
5. Watch your scores initialize and start updating!

That's it. You're now monitoring security posture in real-time. 🚀