In October 2020, we will be releasing an update to our cybersecurity risk rating model founded on our platform's unique ability to automatically assess cybersecurity risk performance. As we continue our blog series discussing this upcoming ratings model release, this post will dive into the methodology around the update to our cybersecurity risk ratings model. Be sure to check out part one of our blog post here

Rate Cybersecurity Risk Performance

RiskRecon assigns a cybersecurity risk rating for each enterprise, rating the quality of their overall performance. In addition to the overall rating, RiskRecon rates performance at the security domain and criteria levels. As explained earlier, RiskRecon’s rating algorithm rates performance based on real-world cybersecurity risk management – is the enterprise managing risk well, like a bank? Or it is managing risk poorly, like a university. RiskRecon is uniquely positioned to rate cybersecurity risk performance within such real-world context because only RiskRecon has the hi-fidelity risk insight based on the dimensions of the rates and severities of issues within the context of the value at risk in the systems in which the issues exist.

Banks vs Universities

RiskRecon’s open-source data plainly reveals that the banking industry manages risk well and universities manage risk quite poorly. When analyzing rates of issues within the context of issue severity and asset value, the banking sector stands above all others. As shown in the diagram below, banks have only 0.5 critical severity issues for every 100 high-value systems (systems that process sensitive data). In comparison, universities have 6.3 critical severity issues for every 100 high-value systems that they operate on the internet.

RatingModel-BanksvsUniverisites

Criteria Issue Rating Weights

Leveraging its high fidelity risk signals, RiskRecon built a rating model that mathematically represents the risk priorities of the banking industry as the benchmark of “good” risk management performance and spread the ratings across the scale using universities as the benchmark of “poor” risk management. RiskRecon used the Rayleigh 3 statistical algorithm to ensure the weights distributed performance of all companies properly above bank ratings (they are good, but they are not perfect), below universities (yes, some are worse!), and in between. Some weighting schemes for some of the criteria are shown below.

Example Assessment Criteria Weights 

Rating Model Software Patching Rating Model Web Encryption Rating Model DNS Security

Notice that there is a weight for every issue across each security criteria for every combination of issue severity AND asset value. That is a lot of math! Why Is that important? Well, consider again the example given earlier regarding web encryption. Where is the proper use of web encryption most important? In systems that collect or transmit sensitive data. Where is it much less important? In systems that are brochure sites. As it turns out, the banking industry agrees. They put a very high-risk priority on proper encryption configuration for high-value systems but place a very low-risk priority on encrypting read-only brochure sites. Banks care 33x more about proper encryption of high-value systems communications than for brochure sites.

Calculating the Overall Rating

RiskRecon calculates the performance rating for each assessment criterion using the criteria issue weights described above. RiskRecon then combines the criteria ratings to calculate the domain ratings and then combines the security domain ratings to calculate the overall rating. As was done for determining issue weights, RiskRecon determined weights for security criteria and domains based on the combinations that mapped to banks rating well and universities rating poorly.

To calculate the security domain and overall ratings, RiskRecon uses a weighted geometric mean, rather than an arithmetic mean. The benefit of using a geometric mean is that poor performance in one security domain, such as email security, it not overly diluted by strong performance in other domains. The further a criteria or domain rating drops below that of other members of the population, the greater the weight it has on the overall calculation.

The starting weights employed to calculate domain ratings and the overall ratings are shown in the table below. It is important to remember that these are “base” weights, but not the actual weights because the use of geometric weighted mean can dynamically increase or decrease the weight of a given criteria or domain from the base starting point.

 

Security Domain

Security Criteria

Weight in Calculating Domain Rating

Weight in Calculating Overall Rating

Software Patching

Application Servers
OpenSSL
CMS
Web Servers
Email Servers
DNS Servers

100%

30%

Application Security

CMS Admin Authentication

50%

12.5%

 

HTTP Security Headers

50%

 

Unencrypted Sensitive Communications

INFO (will move to rated in Q4 2020)

 

Links to Malicious Sites

INFO

Web Encryption

Certificate Expiration
Certificate Valid Date
Hash Algorithm
Key Length
Encryption Protocols
Certificate Subject

100%

12.5%

System Reputation

C2 Servers
Botnet Hosts
Hostile-Hosts: Hacking
Hostile-Hosts: Scanning
Phishing Sites
Other Blacklisted Hosts
Spamming Hosts

See separate explanation

7.5%

Breach Events

 

See separate explanation

10%

System Hosting

Shared IP Hosting

50%

5%

 

Hosting Fragmentation

50%

 

Hosting Countries

INFO

 

Hosting Providers

INFO

 

Hosting Domain Surface

INFO

 

Hostname Surface

INFO

Email Security

Email Authentication (SPF/DKIM)

50%

6.25%

 

Email Encryption

50%

DNS Security

Domain Hijacking Protection

100%

6.25%

 

DNS Hosting

INFO

Network Filtering

Unsafe Network Services

See separate explanation

10%

 

IOT Devices

Conclusion

RiskRecon releases the new rating model in October 2020. In advance of the release, RiskRecon is working closely with customers to smoothly transition them to the new model.

RiskRecon produces cybersecurity risk ratings that enterprises can rely on to make better risk decisions faster. The new rating model produces ratings that reflect real-world cybersecurity risk management. It is simple – based on outside passive assessment, does the organization perform like a bank or better, indicating strong performance? Or does the organization rate more like a university, having very poor performance? RiskRecon ratings reveal the answer.

RiskRecon’s ratings are backed by continuous assessments of performance to tens of security criteria and thousands of underlying security checks. RiskRecon’s assessments are true risk-based assessments, with every issue risk prioritized based on issue severity and asset value. No other platform does this automatically and at the scale of RiskRecon.

You may also download our new white paper on the rating update here or feel free to request a product demonstration to gain a deeper understanding of how the new risk rating model can help you understand and act on third-party cyber risks.