Risk Scoring
Slim.io computes risk scores at multiple levels — individual findings, files, connectors, and workspaces — to help security teams prioritize remediation efforts. Scores range from 0 (no risk) to 100 (critical risk).
Scoring Algorithm
The risk score is computed from four weighted factors:
1. Sensitivity Weight (40%)
Each PII category carries a base sensitivity weight:
| Category | Weight | Rationale |
|---|---|---|
| SSN, Passport, National ID | 1.0 | Highest-value personal identifiers |
| Credit Card, Bank Account | 0.9 | Financial data with direct fraud risk |
| Health Records (PHI) | 0.9 | Regulated under HIPAA |
| API Keys, Passwords | 0.85 | Authentication credentials |
| Driver’s License | 0.8 | Government-issued identity |
| Phone Number, Email | 0.5 | Contact information, moderate risk |
| Physical Address | 0.4 | Location data, lower risk in isolation |
| Name | 0.3 | Common data, low risk in isolation |
2. Volume Factor (25%)
The number of findings affects the score logarithmically:
volume_score = min(1.0, log10(finding_count + 1) / 4)This means:
- 1 finding = 0.075
- 10 findings = 0.25
- 100 findings = 0.50
- 1,000 findings = 0.75
- 10,000+ findings = 1.00
3. Exposure Level (20%)
How accessible the data is affects risk. Exposure levels are automatically computed by analyzing the native access controls on each cloud resource — bucket ACLs, IAM bindings, sharing permissions, role grants, and more. See Exposure Intelligence for full details on how each connector’s access controls are evaluated.
| Exposure | Score | Description |
|---|---|---|
| Public | 1.0 | Anyone on the internet can access the resource |
| Shared | 0.7 | Accessible beyond the owner (cross-account, external sharing) |
| Internal | 0.4 | Accessible within the organization only |
| Private | 0.1 | Single owner or service account only |
Access Intelligence — Exposure scoring now factors in who is actually accessing the resource, not just who can access it. Resources that are both publicly exposed AND actively accessed by external parties receive elevated risk scores compared to public resources with no recent access activity. This helps you prioritize the exposures that represent real, active risk.
4. Policy Coverage (15%)
Whether governance policies cover the findings:
| Coverage | Score |
|---|---|
| No policies | 1.0 |
| Dry-run only | 0.7 |
| Enforced (alert only) | 0.4 |
| Enforced (remediation) | 0.1 |
Files covered by enforced remediation policies (tokenize, mask, quarantine) receive significantly lower risk scores because the data exposure is actively being managed.
Score Aggregation
File-Level Score
A file’s risk score is the weighted average of its findings’ individual scores, with a boost for diversity (multiple PII categories in the same file increase risk).
Connector-Level Score
A connector’s risk score is computed from:
- P90 of file-level scores (the 90th percentile, not the average, to surface worst cases)
- Total finding count across all files
- Percentage of files with any findings
Workspace-Level Score
The workspace risk score is the maximum of its connector-level scores, reflecting the principle that risk posture is defined by the weakest link.
Severity Levels
Risk scores map to severity levels for dashboard display and policy conditions:
| Score Range | Severity | Dashboard Color | Recommended Action |
|---|---|---|---|
| 0–25 | Low | Green | Monitor, no immediate action |
| 26–50 | Medium | Yellow | Review findings, consider policies |
| 51–75 | High | Orange | Prioritize remediation |
| 76–100 | Critical | Red | Immediate action required |
Score Recalculation
Risk scores are recalculated:
- After every scan completion
- When policies are created, modified, or deleted
- When findings are accepted or suppressed
- When connector exposure levels change (detected via drift)
Recalculation is asynchronous and typically completes within seconds of the triggering event.
Using Risk Scores
In Policies
Reference risk scores in policy conditions to create risk-based automation:
spec:
conditions:
- risk_score_min: 75
actions:
- type: quarantine
- type: alert
config:
severity: criticalIn Reporting
The Executive Scorecard aggregates risk scores into trend visualizations, enabling security leadership to track posture improvement over time.
Via API
GET /api/v1/governance/risk-scores?level=connector
Authorization: Bearer $TOKENReturns risk scores for all connectors with breakdown by scoring factor.