To get to this page: Go to Setup > Security Risk.
This security risk configuration determines how security risk is calculated in Auto scan reports, which are based on current host/vulnerability data. This configuration does not affect Manual scan reports or scan results. The security risk calculation includes vulnerabilities and potential vulnerabilities (information gathered are not included).
Your options are:
Average severity level detected (vulnerabilities and potential vulnerabilities). When selected, security risk for each host in the report is the average severity level detected across all vulnerabilities and potential vulnerabilities on the host. For example, let's say the host has three severity 2 vulnerabilities, one severity 1 vulnerability and one severity 5 potential vulnerability. To get the security risk value, add 2+2+2+1+5 and divide by 5. The security risk for the host is 2.4.
Highest severity level detected (vulnerabilities and potential vulnerabilities). When selected, security risk for each host in the report is the highest severity level detected across all vulnerabilities and potential vulnerabilities on the host. For example, if the highest severity level detected on the host is severity level 4 (whether confirmed or potential), then the security risk for the host is 4.
Select the check box "Do not include hosts with zero risk in calculation" if you do not want to include hosts with no vulnerabilities found in the security risk calculation.
See Security Risk in Scan Reports for more information.