Platform Update: Advanced Risk Scoring for Risk Management | Arte

Managing information security risks effectively requires more than spreadsheets and gut feelings. The right risk management software brings structure, intelligence, and consistency to a process that most organizations still handle manually. Organizations need a structured approach that accounts for the threats they face, the vulnerabilities in their environment, and the effectiveness of the controls they have in place. That's exactly what Arte's risk management capabilities are designed to deliver. We're pleased to share a comprehensive overview of the risk management features now available on the platform — including our Advanced Risk Scoring engine, which brings real-world threat and vulnerability intelligence into every risk assessment. Risk Assessments — The Core of Risk Management Risk Assessments is the primary module for identifying, evaluating, and treating information security risks. The platform supports full risk assessment workflows across four frameworks: Information Security (based on ISO 27001 / NIST CSF) AI Risk Assessment (aligned with ISO 42001 and EU AI Act considerations) Supply Chain Risk Assessment (based on NIST SP 800-161 principles) Business Continuity (aligned with ISO 22301) Each assessment guides users through a structured process: identifying risks, assigning threat sources and vulnerabilities, scoring likelihood and impact on a standard 5x5 risk matrix, applying controls and mitigations, and calculating residual risk. Risk Register — Your Organization's Risk Inventory The Risk Register provides a centralized, read-only view of all identified risks across every assessment. It serves as a living registry — a single place where security officers and management can review the organization's full risk landscape, track risk levels, and monitor trends over time without modifying assessment data directly. Advanced Risk Scoring This is where the platform goes beyond traditional manual scoring. When users create or evaluate a risk, the Advanced Risk Scoring engine provides data-driven score suggestions based on multiple intelligence layers. Threat-Aware Scoring Every risk assessment considers the specific threat sources relevant to the identified risk. The platform maintains a comprehensive threat library covering over 100 threat profiles across all four frameworks — from external cybercriminals and nation-state actors to insider threats, ransomware, supply chain compromises, AI-specific threats like adversarial attacks and prompt injection, and business continuity risks such as pandemic scenarios and infrastructure failures. Each threat is evaluated for its execution characteristics — including the capability and motivation of the threat actor, the opportunity for exploitation, and how frequently it occurs in the real world. This threat context directly influences the risk score, ensuring that a risk exposed to a highly capable and motivated threat actor is scored differently from one facing a low-frequency environmental event. Vulnerability Context On the vulnerability side, the platform evaluates over 130 vulnerability and control profiles. Each vulnerability is assessed based on how easy it is to exploit — considering factors such as attack complexity, the level of access required, whether user interaction is needed, and the degree of network exposure. This means a publicly accessible unpatched system is scored with more urgency than an internally isolated configuration weakness — because the real-world exploitability is fundamentally different. External Intelligence Integration The scoring engine doesn't rely solely on internal data. It cross-references two external intelligence sources: MITRE ATT&CK Framework — Selected threats are mapped to known ATT&CK techniques, providing real-world adversary behavior context. When external threat intelligence indicates a higher severity than the internal assessment, the score is automatically enhanced. NVD/CVE/CWE Database — Selected vulnerabilities are matched against the National Vulnerability Database, pulling in CVE statistics and Common Weakness Enumeration data. If real-world exploit data indicates higher exploitability, the vulnerability score is adjusted upward. This dual-source enrichment ensures that risk scores reflect not just theoretical assessments, but actual threat landscape conditions. Organization-Specific Learning The scoring engine learns from your organization's own risk history. As you complete more assessments, the system draws on your historical data to provide increasingly accurate and relevant suggestions — matching by assessment type, risk category, and even semantic similarity in risk descriptions. New organizations benefit immediately from pre-seeded industry benchmark data covering thousands of risks across multiple sectors. Suggested Threats and Vulnerabilities When identifying a risk, the platform proactively suggests the most relevant threats and vulnerabilities based on the selected risk category and framework. These suggestions are prioritized by severity, helping assessors consider the most critical threat-vulnerability combinations rather than starting from a blank page. Residual Risk Calculation After controls and mitigations are applied to a risk, the platform calculates the expected residual risk — the risk level that remains after treatment measures are in place. The calculation model accounts for: Control type effectiveness — Different control types (preventive, detective, corrective, technical, administrative, physical, compensating) reduce likelihood and impact in different proportions, reflecting their real-world function Implementation maturity — A fully implemented control provides its full reduction effect, while a planned control provides only partial benefit Diminishing returns — Stacking multiple controls of the same type yields progressively smaller reductions, reflecting the reality that security layers don't add up linearly Minimum risk floor — No combination of controls can eliminate risk entirely; a residual floor ensures that risk is managed, not imagined away The result is a transparent breakdown showing how each control contributes to risk reduction, the overall reduction percentage, and a recommendation based on the residual risk level. What This Means for Your Organization Together, these capabilities give security teams a complete risk management lifecycle: Identify risks with guided assessments across four frameworks Evaluate them with data-driven scoring informed by threat intelligence and vulnerability context Treat them by applying controls and mitigations with measured effectiveness Review all identified risks in a centralized Risk Register Whether you're building your risk management program from scratch or looking to replace manual processes with a structured, intelligence-informed approach, Arte's risk management module is designed to make the process faster, more consistent, and more defensible. Start a free assessment