Posted on Aug 24, 2017
Our initiative with the the US Chamber of Commerce to release the Principles for Fair and Accurate Security Ratings started with defining and publishing the principles, and now SecurityScorecard is fostering this initiative by continuing to educate current and future users of our product about how we adhere to these principles.
We recently took a deep dive into the principle of Dispute, Correction, and Appeal, and this week we’re continuing our series by analyzing the principle of Accuracy and Validation, which reads:
“Accuracy and Validation: Ratings should be empirical, data-driven, or notated as expert opinion. Rating companies should provide validation of their rating methodologies and historical performance of their models. Ratings shall promptly reflect the inclusion of corrected information upon validation.”
This underlying goal of this principle is to help ensure that the quality and accuracy of a security rating is reliable. The SecurityScorecard platform puts each component of the Accuracy and Validation principle into practice.
Section 1: Ratings should be empirical, data-driven, or notated as expert opinion.
At SecurityScorecard, scoring is a data-driven process that ensures that lower scores are always more predictive of breach than higher scores. Put simply, an “F” company has a higher likelihood of getting breached than an “A” company. The scoring methodology has several steps which all preserve this data-driven approach:
Section 2: Rating companies should provide validation of their rating methodologies and historical performance of their models.
SecurityScorecard conducts checks of its ratings against its breach prediction model to ensure the stability of the model. The major takeaway from our breach prediction model is that lower grades (Cs,Ds, and Fs) are always more likely to be breached than higher grades (As and Bs):
Section 3: Ratings shall promptly reflect the inclusion of corrected information upon validation.
As we referenced in our last post on this topic, SecurityScorecard allows any company to provide corrected or clarifying data about their digital assets in order to correct the company’s rating. Additionally when a company requests a recalculation of their score, ratings are updated within 24 hours.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.