A security rating scale shows the measurement of an organization’s cybersecurity risk posture.
Security rating scales can vary in the type and range based on which scale a security rating vendor provides. The goal of a security rating is to provide a quantifiable metric that communicates an organization’s or third-party’s cyber vulnerability to cyber threats and effectiveness of security controls or cyber risk posture over time. Security ratings calculations initially focus on the external security posture of an organization based on passive assessment and data collection about the company’s assets and internet presence, in addition to active assessments.
The security rating scale can be produced as numerical values (like a credit score) or alphabetic grades, with higher scores or grades indicating better cybersecurity practices and therefore lower cyber risk. The purpose of these scales is to provide a clear, objective, and consistent way to evaluate an organization’s enterprise risk, or vendor cyber risk, and compare the cybersecurity health of different entities where you can monitor their ratings trend over time- and compare to industry benchmarks.
“Good” security ratings want to be at the top of the range for the respective scales. That could be 650-900 for credit score style, 90-100 or 900-1,000 for numeric scales and A or B in the letter scales. Each security rating provider may have a different scale or provide both, but they all have the same intent- the higher the security rating, the less risk in an organization’s security posture.
We have this resource if you still have questions about what is a security rating.
FortifyData’s standard security rating scale is similar to a credit score. The security rating scale we employ ranges from 350 –900 with explanations below.
FortifyData enables clients to reflect the context of their business and cyber risk in the security rating. Clients can classify identified assets by operational criticality (also allowing for identification of data types on devices) and respond to risks identified by recording the compensating control(s) in place to reduce the likelihood of threats occurring. This produces the most accurate security rating risk representation by the published security rating score.
FortifyData enables clients to create additional, configurable security rating risk models, to produce security ratings unique to their cyber risk appetite and threat profile. The weightings of the factors can be adjusted to help further tune the risk representation of a company as ‘one-size-fits-all’ rarely works effectively.
Very Low Risk: 751-900
Indicates the unlikely presence of critical cyber risks present within the company’s external facing resources through proven, consistent maintenance of various security processes. Identified low-risk vulnerabilities may not pose immediate threats but may eventually lead to significant breaches if they are not addressed within a reasonable time. Continuous monitoring of your threat landscape is important to identify changes that may impact the score.
Low Risk: 676-750
Indicates a reduced amount of significant cyber risks present within the company’s external facing resources. This demonstrates the presence of security measures in place. Identified low risks may not pose immediate threats but may eventually lead to significant risks if they are not addressed within a reasonable time. Continuous monitoring of threat landscape is important to identify changes that may impact the score.
Moderate Risk: 601-675
Indicates an elevated presence of cyber risks present within the company’s resources. The business has been identified to have major system and/or application vulnerabilities that may potentially lead to a data breach or unauthorized access to information systems. Continuous monitoring of the company’s threat landscape is important to identify changes that may have an impact on your company’s risk score. The potential impact on the business may include long term loss of public confidence, embarrassment, monetary loss and legal actions against the organization.
High Risk: 526-600
Indicates significant amounts of cyber risks have been identified within the company’s resources and/or compromised assets. The business has been identified to have critical system vulnerabilities that may potentially lead to a data breach or unauthorized access to information systems. Continuous monitoring of the company’s threat landscape is important to identify any changes that may impact its cyber risk score. The business may also be recovering from recent data/system breach, resulting in long term loss of public confidence, embarrassment, monetary loss and legal actions against the organization.
Critical Risk: 350-525
This level indicates vast amounts of cybersecurity risks currently present within the company’s resources and/or compromised assets. The business may have experienced a data breach or unauthorized access to information systems by either intentional or accidental acts. The business may also experience current and/or long-term loss of public confidence, embarrassment, monetary loss and legal actions against the organization.
Each security rating vendor evaluates specific factors and has assigned weightings as to how those factors affect the scale and produced security rating.
Cybersecurity ratings scales consider a wide range of factors that contribute to an entity’s security posture. These factors may include software vulnerabilities, patch management practices, network architecture, historical breach data, and more.
Several factors are often weighed based on their relative importance. For example, a history of data breaches may carry more weight than the number of open ports on a server. The weighting of criteria helps create a more accurate representation of an entity’s overall security.
FortifyData has made their security rating score methodology publicly available which details the specific cyber risk and vulnerability factors that go into the security rating as well as the weightings. We are the only security rating provider with a patent pending on their configurable security rating risk rating models which allows clients to create additional security rating models where you can define the weighting of the factor’s effect on the security rating scale.
FortifyData: 350-900
BitSight: 250-900
BlackKite: A-F
Panorays: 0-100
RiskRecon: A-F and 0-10
SecurityScorecard: A-F
Upguard: 0-950 and A-F
Granularity and Precision: When it comes to offering a detailed view, the scales differ significantly.
FortifyData is a continuous threat exposure management platform that produces a security rating as a result of conducting more comprehensive cyber risk management assessments.
The FortifyData security rating is based on weekly direct and comprehensive, but non-intrusive, assessments of external IT assets which are confirmed by client information.
What other security ratings don’t provide but FortifyData does, is the ability to contextualize the identified assets based on business impact and allows for likelihood of risk scenario adjustments to produce a contextualized security rating. This same approach is conducted for enterprise risk management and third-party risk management.
Additionally, FortifyData provides the option to also conduct internal risk assessments to add to the cyber security rating, so you truly get a comprehensive security rating based on external and internal information. FortifyData has made their security rating score methodology publicly available and is the only security rating provider with a patent pending on their configurable security rating risk rating models.
Based on all of the findings from the assessments FortifyData will produce a security rating that falls on the security rating scale and can be tracked over time.
FortifyData, and some of the other security ratings vendors, can help to simulate where your security rating will go based on planned remediation. FortifyData’s Score Simulator feature, as part of the security rating, allows you to select certain vulnerabilities and risks and simulate what will happen to your security rating if you mitigate or remediate them. This will show you where on the security rating scale your security rating will land, based on those remediations and mitigations. You can simulate various remediation plans to determine the best plan for your team to focus on.
FortifyData provides a trusted and accurate security rating based on weekly external attack surface assessments of your confirmed IT asset inventory. We take into account asset classification, likelihood adjustments and compensating controls and enrich the findings with dark web discoveries and cyber threat intelligence to give you a contextualized security rating.
FortifyData is an industry-leading Continuous Threat Exposure Management (CTEM) company that enables the enterprise to manage cyber risk across the organization. By combining automated attack surface assessments with asset classification, risk-based vulnerability management, security ratings and third-party risk management, you get an all-in-one cyber risk management platform.
