Security ratings play a pivotal role in helping organizations understand their cybersecurity posture and the potential risks they face. Security ratings are typically derived from a variety of external data points and do not usually involve intrusive testing like penetration testing.
What is a security risk rating? Here’s a general overview of how security ratings are calculated:
Security rating platforms continuously collect vast amounts of data from various public and proprietary sources. This data can include:
Once data is collected, it’s categorized into different risk factors. Common risk factors include:
Using the collected data, the platform calculates a security score. This involves:
These components help answer the question what is a security rating?
The Evolution of Cybersecurity Ratings and How They Can Boost Risk Visibility
The cybersecurity landscape is dynamic, with new threats emerging daily. As such, security rating platforms continuously monitor and update their data, ensuring that the ratings remain current. The factors used to calculate the risk of the factors will update the security rating along the cybersecurity risk rating scale. You’ll need to check with each security rating vendor on their cadence of conducting assessments and updates. Some vendors with a vulnerability scanning based security rating will likely update weekly or next assessment. Other vendors that heavily rely on opensource data will update their score when they find new information
Most platforms provide a way for organizations to dispute or clarify their ratings, especially if they believe there’s an error or if they’ve made significant security improvements.
BitSight, a security ratings provider, formulates its ratings by gathering security information from billions of stored data points and events online, as described on their website. The data encompasses:
This data is applied to a company’s network footprint and then processed through an algorithm that evaluates the data based on severity, frequency, duration, and confidence indicators. The result is an overall rating of an organization’s security performance, measured along a cybersecurity risk rating scale ranging from 250 to 900, with higher scores indicating better cybersecurity performance.
SecurityScorecard evaluates an organization’s cybersecurity posture across across ten groups of risk factors, including DNS health, IP reputation, web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence, as described on their website.
They take into account all the external-facing discoverable assets of an organization, the issues associated with those assets, and the severity of the threats that were found in order to determine a score for each organization. The scores are graded and measured along a cybersecurity risk rating scale on an alpha scale of A-F.
FortifyData’s cyber risk score, known as the FortifyScore, is a data-driven metric that provides businesses with insights into their cybersecurity risks. The score also adheres to the principles set by the U.S. Chamber of Commerce (as do other security ratings providers) and is based on the NIST Risk Management Framework (RMF). The FortifyScore ranges from 300 to 900 points, with higher scores indicating better security postures.
The FortifyData platform assesses cyber risk exposures across thousands of unique data points, using both qualitative and quantitative risk assessment methodologies. The platform evaluates risks related to:
One of the unique features of FortifyData is its real-time configurability and personalization, allowing clients to adjust the weight of individual cybersecurity risk categories to fit their specific risk assessment needs.
Check this out for a deeper dive answer to the question, What is a Security Rating?
Security ratings are invaluable tools for organizations to understand and manage their cybersecurity risks. Different platforms have their methodologies and data points, but the goal remains the same: to provide an objective, comprehensive view of an organization’s cybersecurity health. Whether you’re a CISO, a security manager, or a business leader, understanding how these ratings are formulated can help you make informed decisions about your organization’s cybersecurity strategy.