SecurityScorecard's statistically robust framework documents the fact that a company with a C, D, or F rating is 5 times more likely to suffer a consequential breach versus an A-, B-rated company. Certain risk factors, such as application security and patching cadence, are even more indicative of the likelihood of breach. An F versus an A in these factors may translate into a tenfold increase in the likelihood of a data breach or successful attack.
At the same time, a D or F rating does not necessarily mean that an organization will be breached tomorrow. We do know, however, that in aggregate, companies with a higher security rating are less likely to suffer a data breach. For more information on how ratings are computed download our scoring white paper.
How does SecurityScorecard calculate security ratings?
SecurityScorecard non-intrusively collects data from publicly available commercial and open-source feeds across the internet for an outside-in, hacker perspective of a company’s cybersecurity posture. This data is then analyzed by SecurityScorecard data science experts who calculate scores across 10 key risk indicator categories as well as an overall security rating using an easy-to-understand A-F grading scale.
How does SecurityScorecard collect data?
SecurityScorecard utilizes both active and passive data collection methods to gather proprietary and third-party data.
Active data collection involves:
- Initiating a connection towards remote hosts and participating in some initial part of their protocol.
You can think about this as data that needs to be requested.
Passive data collection can be performed in two ways:
- A remote host connects to us.
- We obtain copies or summaries of some protocol transaction from a network sensor or intermediary device.
You can think about this as data that is collected without asking.
SecurityScorecard’s proprietary data collection relies on a global network of sensors that spans the: Americas, Asia-Pacific, and Europe, Middle East, and Africa. This network of scanners examine the entire internet and identify services, vulnerabilities, and adherence to best practices, which can indicate a company’s current cybersecurity posture. These signals are the fundamental backbone of SecurityScorecard’s security ratings. We also operate one of the world’s largest networks of sinkholes and honeypots to glean indications of malware infection from outside a company's network.
Additionally, SecurityScorecard further enriches our data set by leveraging commercial and open-source intelligence feeds. This allows SecurityScorecard to improve the cadence of observation, build fidelity in the signals, and confirm accuracy in observations.
All of SecurityScorecard’s data collection methods are legal. We collect externally accessible and publicly-available data. No intrusive techniques are used to gather the information.
How does SecurityScorecard attribute data?
SecurityScorecard identifies which digital assets (i.e. IPs and domains) belong to an organization. This determines a company’s digital footprint and is the basis of every Scorecard. Attribution is the linchpin for measuring cybersecurity, and an effective attribution process must be able to allow for change. Competitors in the market rely on manual attribution, which limits their ability to keep pace with the dynamic nature of the internet. They have some level of automation, but human analysts are still at the heart of their process. Human intervention involves manual error and results in attribution being only a snapshot of a moment in time. Conversely, SecurityScorecard relies on automation at scale. Attribution technology allows SecurityScorecard to quickly associate findings to an organization’s digital footprint, test for accuracy, relevancy, and completeness—continuously keeping Scorecards up to date.
SecurityScorecard leverages the use of advanced machine learning algorithms and other proprietary methods that accurately attribute IP addresses found on the open internet to the company that has operational ownership of the associated systems. SecurityScorecard has made a significant investment in the development of a patented cybersecurity ratings platform that
includes subject matter experts in areas such as networking, machine learning, risk management and cybersecurity. The accuracy of the SecurityScorecard’s IP attribution process has its foundation in advanced machine learning techniques.