How Are Security Ratings Created

Security ratings play a pivotal role in helping organizations understand their cybersecurity posture and the potential risks they face. Security ratings are typically derived from a variety of external data points and do not usually involve intrusive testing like penetration testing.  

What is a security risk rating? Here’s a general overview of how security ratings are calculated: 

Data Collection

Security rating platforms continuously collect vast amounts of data from various public and proprietary sources. This data can include: 

  • Breach data: Information about past security breaches involving the organization. 
  • Domain Name System (DNS) records: Details about an organization’s online domains. 
  • Threat intelligence feeds: Information about current threats and vulnerabilities. 
  • Dark web data: Information available in underground forums, which might include stolen credentials or data related to the organization. 
  • Malware data: Information about malware infections associated with the organization. 
  • External Network infrastructure and application data: Details about servers, IP addresses, and other network-related information. 

Risk Factor Analysis

Once data is collected, it’s categorized into different risk factors. Common risk factors include: 

  • Network security: Evaluates the security of an organization’s public-facing assets. 
  • Endpoint security: Assesses the security of devices that connect to the organization’s network. 
  • Patch cadence: Looks at how quickly an organization patches its software vulnerabilities. 
  • Reputation: Considers past breaches or security incidents. 
  • Email Security: Validates if DMARC, DKIM and/or SPF records exist, this will reduce the likelihood a business email can be spoofed or used nefariously 
  • User behavior: Assesses potential risky behaviors, like the use of weak passwords. 
  • IP reputation: Evaluates if the organization’s IP addresses are involved in malicious activities. 

Score Calculation

Using the collected data, the platform calculates a security score. This involves: 

  • Weighted analysis: Not all risk factors have the same impact. For instance, a recent data breach might be weighted more heavily than a minor misconfiguration. 
  • Historical analysis: Some platforms consider the organization’s security history, rewarding improvements over time or penalizing repeated mistakes. 
  • Industry comparison: The organization’s score might be compared to industry benchmarks or peers. 


These components help answer the question what is a security rating? 


Read the Whitepaper

The Evolution of Cybersecurity Ratings and How They Can Boost Risk Visibility

Continuous Monitoring and Updates

The cybersecurity landscape is dynamic, with new threats emerging daily. As such, security rating platforms continuously monitor and update their data, ensuring that the ratings remain current. The factors used to calculate the risk of the factors will update the security rating along the cybersecurity risk rating scale. You’ll need to check with each security rating vendor on their cadence of conducting assessments and updates. Some vendors with a vulnerability scanning based security rating will likely update weekly or next assessment. Other vendors that heavily rely on opensource data will update their score when they find new information

Feedback and Dispute Mechanisms

Most platforms provide a way for organizations to dispute or clarify their ratings, especially if they believe there’s an error or if they’ve made significant security improvements. 

How Are BitSight Scores Calculated?

BitSight, a security ratings provider, formulates its ratings by gathering security information from billions of stored data points and events online, as described on their website. The data encompasses: 

  • Indicators of compromise 
  • Infected machines 
  • Configuration of cybersecurity controls 
  • Cyber hygiene practices 
  • Potentially harmful user behaviors 


This data is applied to a company’s network footprint and then processed through an algorithm that evaluates the data based on severity, frequency, duration, and confidence indicators. The result is an overall rating of an organization’s security performance, measured along a cybersecurity risk rating scale ranging from 250 to 900, with higher scores indicating better cybersecurity performance. 

How are SecurityScorecard Ratings calculated?

SecurityScorecard evaluates an organization’s cybersecurity posture across across ten groups of risk factors, including DNS health, IP reputation, web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence, as described on their website. 

They take into account all the external-facing discoverable assets of an organization, the issues associated with those assets, and the severity of the threats that were found in order to determine a score for each organization. The scores are graded and measured along a cybersecurity risk rating scale on an alpha scale of A-F.

How are FortifyData Ratings calculated?

FortifyData’s cyber risk score, known as the FortifyScore, is a data-driven metric that provides businesses with insights into their cybersecurity risks. The score also adheres to the principles set by the U.S. Chamber of Commerce (as do other security ratings providers) and is based on the NIST Risk Management Framework (RMF). The FortifyScore ranges from 300 to 900 points, with higher scores indicating better security postures. 

The FortifyData platform assesses cyber risk exposures across thousands of unique data points, using both qualitative and quantitative risk assessment methodologies. The platform evaluates risks related to: 

  • Critical Infrastructure Issues 
  • Dark Web Exposure 
  • External and Internal Network Risks 
  • Web Application Risks 
  • Patching Cadence 
  • Cloud Security Risks 
  • Malware Presence 
  • Historical Data Breaches 
  • Third Party Risk 


One of the unique features of FortifyData is its real-time configurability and personalization, allowing clients to adjust the weight of individual cybersecurity risk categories to fit their specific risk assessment needs. 

Check this out for a deeper dive answer to the question, What is a Security Rating? 

Security ratings are invaluable tools for organizations to understand and manage their cybersecurity risks. Different platforms have their methodologies and data points, but the goal remains the same: to provide an objective, comprehensive view of an organization’s cybersecurity health. Whether you’re a CISO, a security manager, or a business leader, understanding how these ratings are formulated can help you make informed decisions about your organization’s cybersecurity strategy. 

Related Resources