# Risk factors

Purpose
- Define factor catalog and normalization rules for risk scoring.

Factor catalog (examples)
- CVSS or exploit likelihood: numeric 0-10 normalized to 0-1.
- KEV flag: boolean boost with provenance.
- Reachability: numeric with entrypoint and path provenance.
- Runtime facts: categorical or numeric with trace references.
- Fix availability: vendor status and mitigation context.
- Asset criticality: tenant or service criticality signals.
- Provenance trust: categorical trust tier with attestation hash.
- Custom overrides: scoped, expiring, and auditable.

Normalization rules
- Validate against profile signal types and transforms.
- Clamp numeric inputs to 0-1 and record original values in provenance.
- Apply TTL or decay deterministically; drop expired signals.
- Precedence: signed over unsigned, runtime over static, newer over older.

Determinism and ordering
- Sort factors by factor type, source, then timestamp.
- Hash fixtures and record SHA256 in docs/risk/samples/factors/.

Related references
- risk/overview.md
- risk/formulas.md
- risk/profiles.md