What is a Business Impact (BI) Score?
Table of Contents
What is a Business Impact Score?
A Business Impact (BI) Score quantifies the business criticality of an IT asset. It captures what technical vulnerability scores alone cannot — how much a security incident affecting this asset would impact the business.
A CVSS 9.0 vulnerability on a core revenue system has a fundamentally different impact than the same vulnerability on a test environment. The BI Score embeds this business context into security assessments.
Why Business Impact Matters
Bridging security and management
When security teams report technical risks alone, executives often struggle to translate them into action. A BI Score makes statements like "this vulnerability affects a critical system" available, providing input directly tied to business decisions.
Optimal resource allocation
Applying equal security investment to every system is unrealistic in both cost and time. With BI Scores, organizations can direct the most resources to the most critical systems.
Compliance requirements
Many security frameworks (ISO 27001, NIST CSF, etc.) require Business Impact Analysis (BIA). The BI Score serves as an objective indicator that meets this requirement.
How PentaTrail Computes the BI Score
The BI Score is an integer between 5 and 13, computed as the sum of three axes. Hosts without tags default to 9.
1. purpose
Represents what the host is used for. Range: 1–5.
| Value | Tag | Examples |
|---|---|---|
| 5 | public / remote_access | Public web, API, VPN |
| 4 | restricted / mail_infra | Limited-access systems, mail |
| 3 | development / unknown | Dev environment, unclassified assets |
| 2 | internal_only | Internal-only systems |
| 1 | archived | Decommissioned or pre-restart systems |
2. data_classification
Represents the sensitivity of data the host handles. Range: 3–5 (the minimum is 3, so "no business impact" is not selectable for data classification).
| Value | Tag | Examples |
|---|---|---|
| 5 | personal_data / payment_data / confidential | Customer data, payments, restricted data |
| 3 | public_only / unknown | Public-only content, unclassified |
3. availability
Represents the host's downtime tolerance. Range: 1–3.
| Value | Tag | Examples |
|---|---|---|
| 3 | mission_critical / unknown | 24/7 systems |
| 2 | business_hours | Business-hours operation only |
| 1 | non_critical | Back-office, ephemeral systems |
Score boundaries
- Minimum: 5 = 1 + 3 + 1 (archived × public-only × non-critical)
- Maximum: 13 = 5 + 5 + 3 (public system × confidential data × 24/7)
- Default: 9 = 3 + 3 + 3 (untagged hosts)
BI Score and TER Bands
The BI Score is useful on its own, but its real value emerges when combined with TDL (Threat Discovery Level). PentaTrail divides BI Scores into 3 tiers and combines them with TDL to determine TER bands (S/A/B/C/D).
| BI Score range | Tier | Examples |
|---|---|---|
| 11–13 | High BI | Public e-commerce, payment infrastructure, customer DB |
| 6–10 | Mid BI | Internal business systems, limited-access apps |
| 5 | Low BI | Decommissioned systems, non-critical internal tools |
For combination details, see Threat Exposure Risk.
Setting BI Scores in PentaTrail
In PentaTrail, you can apply purpose / data_classification / availability tags to each host. Tags can be applied with one click from the dashboard, and the BI Score recalculates automatically.
- Dashboard: matrix view of BI Score × TDL
- Alerts: instant notification for high-BI × high-TDL vulnerabilities
- Reports: executive summaries organized by BI Score tier
To try BI Score-based risk management on PentaTrail, Start Your 14-Day Free Trial.
Visualize your attack surface with PentaTrail/CTEM
From discovery to vulnerability validation and remediation — all powered by the CTEM framework.
Get Started