Risk scoring: include threat intelligence, SLA aging, exposure context, and accepted-risk governance factors

[FrodeHus]

Goal

Align the executive risk score with the proposed model: vulnerability severity, exploit likelihood, asset criticality, exposure level, business impact, SLA/aging, control weakness, compensating controls, and accepted-risk state.

Current state

• RiskScoreService calculates asset/software/device-group/team/tenant scores and stores transparent factor JSON.
• ThreatAssessment contains EPSS/KEV/exploit/ransomware signals, but risk scoring appears primarily driven by environmental CVSS/open exposure rollups and remediation adjustments.
• Comments in RiskScoreService treat risk acceptance as visibility-only rather than a governance modifier.

Scope

• Add explicit scoring factors for threat intelligence (KnownExploited, EPSS, public exploit, ransomware/malware association), SLA breach/age, exposure context, and business criticality/service impact.
• Decide how approved risk acceptance and alternate mitigation affect score versus executive visibility.
• Keep factor output auditable and explainable.
• Version the scoring formula.

Acceptance criteria

• Score factor JSON shows the contribution of threat intelligence and SLA/aging where applicable.
• Accepted risk is either reflected as residual/accepted risk or explicitly preserved as full exposure with separate governance classification.
• Formula changes are covered by focused RiskScoreService tests.
• Existing remediation adjustment behavior remains intentional and documented.