Just How Accurate Are Security Ratings?

Third-party cyber risk is now one of the biggest threats today, according to many CISOs. Security leaders point to the fact that many of the recent major breaches have been a result of a single software supply chain vulnerability: SolarWinds, Log4j, and MOVEit, just to name a few.

According to SecurityScorecard’s joint research with the Cyentia Institute, 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. So how are organizations solving the third-party cyber risk puzzle? In this high-stakes chess match, a proven strategy is Security Ratings. Because the data is already publicly available, Security Ratings are one thing that CISOs can talk about publicly. Yet, there is one question that keeps coming up: How accurate are they, in reality?

In Cybersecurity, Metrics Matter

Last month, SecurityScorecard unveiled a new trust portal, the destination for greater transparency into the accuracy and validity of our Security Ratings. Aside from being an objective, data-driven, and quantifiable measurement of an organization’s overall cybersecurity performance, Security Ratings provide a common language for insurers, board members, vendors, and regulators with which to communicate. But to make key business decisions, organizations need to know that their Security Ratings—and the data they rely on—are accurate. SecurityScorecard has worked diligently to ensure that our rate for false positives is less than 1%, so that customers and non-customers alike can be confident in their Security Ratings.

Increased Scoring Accuracy

By continuously improving and refining our algorithm, we are able to ensure that our Security Ratings offer the most accurate and up-to-date picture of an organization’s cybersecurity posture. This is done without penalizing an organization for factors that are outside their control.

This chart shows the refute rate for scored findings. It shows the fraction of Scorecard findings entities refute. (Refute rate displayed as a 7-day trailing average.)

SecurityScorecard offers an easy-to-understand overview of how our Security Ratings are calculated, with clear explanations of how we scan the Internet, how we attribute cloud IPs, and how we score our findings. And we encourage users to validate and make corrections to their ratings as needed. A customer support team is always on hand to answer questions about the methodology and process behind a security rating.

A More Transparent Scoring Methodology

Our scoring methodology is an open book, and we are the only company to provide complete transparency into our scores. SecurityScorecard non-intrusively scans the entire IPv4 web space, more than 4.0 billion routable IP addresses, every 10 days across more than 1,500 ports from 20+ countries. Learn more in our Scoring Methodology whitepaper.

Because cyber risk is dynamic and influenced by a wide range of variables, quantifying it requires numerous, continuously updated data points. To underscore this point, SecurityScorecard joined the Marsh McLennan Global Cyber Risk Analytics Center to study how cybersecurity ratings can be used to understand cyber risk. By analyzing security ratings and cyber insurance claims data, we found seven factors that are most predictive of a breach. They are: endpoint security; patching cadence; ransomware score; network security; DNS health; IP reputation; and cubit score.

SecurityScorecard works hard to ensure that an organization’s digital footprint and our measurements are correct. Our AI processes vast amounts of data, that we collect, in order to provide the most actionable insights. By continuously monitoring over 12 million organizations, SecurityScorecard has found that organizations with an A rating are 7.7 times less susceptible to a breach. This large and growing collection of cybersecurity data allows us to quickly understand and monitor the cyber health of organizations to provide all users with valuable and unique insights. This enables organizations to make more informed, risk-based business decisions based on the most accurate data available.

Security Ratings have the power to restore public trust in cybersecurity. We hold ourselves to the highest standards because we know our users do as well. And we are always looking for ways to improve to help make the world a safer place.

For more information, visit: trust.securityscorecard.com