In October 2020, we will be releasing an update to our cybersecurity risk rating model founded on our platform's unique ability to automatically assess cybersecurity risk performance. As we continue our blog series discussing this upcoming ratings model release, this post will dive into the methodology around the update to our cybersecurity risk ratings model. Be sure to check out part one of our blog post here.
Rate Cybersecurity Risk Performance
RiskRecon assigns a cybersecurity risk rating for each enterprise, rating the quality of their overall performance. In addition to the overall rating, RiskRecon rates performance at the security domain and criteria levels. As explained earlier, RiskRecon’s rating algorithm rates performance based on real-world cybersecurity risk management – is the enterprise managing risk well, like a bank? Or it is managing risk poorly, like a university. RiskRecon is uniquely positioned to rate cybersecurity risk performance within such real-world context because only RiskRecon has the hi-fidelity risk insight based on the dimensions of the rates and severities of issues within the context of the value at risk in the systems in which the issues exist.
Banks vs Universities
RiskRecon’s open-source data plainly reveals that the banking industry manages risk well and universities manage risk quite poorly. When analyzing rates of issues within the context of issue severity and asset value, the banking sector stands above all others. As shown in the diagram below, banks have only 0.5 critical severity issues for every 100 high-value systems (systems that process sensitive data). In comparison, universities have 6.3 critical severity issues for every 100 high-value systems that they operate on the internet.
Criteria Issue Rating Weights
Leveraging its high fidelity risk signals, RiskRecon built a rating model that mathematically represents the risk priorities of the banking industry as the benchmark of “good” risk management performance and spread the ratings across the scale using universities as the benchmark of “poor” risk management. RiskRecon used the Rayleigh 3 statistical algorithm to ensure the weights distributed performance of all companies properly above bank ratings (they are good, but they are not perfect), below universities (yes, some are worse!), and in between. Some weighting schemes for some of the criteria are shown below.
Example Assessment Criteria Weights
Notice that there is a weight for every issue across each security criteria for every combination of issue severity AND asset value. That is a lot of math! Why Is that important? Well, consider again the example given earlier regarding web encryption. Where is the proper use of web encryption most important? In systems that collect or transmit sensitive data. Where is it much less important? In systems that are brochure sites. As it turns out, the banking industry agrees. They put a very high-risk priority on proper encryption configuration for high-value systems but place a very low-risk priority on encrypting read-only brochure sites. Banks care 33x more about proper encryption of high-value systems communications than for brochure sites.
Calculating the Overall Rating
RiskRecon calculates the performance rating for each assessment criterion using the criteria issue weights described above. RiskRecon then combines the criteria ratings to calculate the domain ratings and then combines the security domain ratings to calculate the overall rating. As was done for determining issue weights, RiskRecon determined weights for security criteria and domains based on the combinations that mapped to banks rating well and universities rating poorly.
To calculate the security domain and overall ratings, RiskRecon uses a weighted geometric mean, rather than an arithmetic mean. The benefit of using a geometric mean is that poor performance in one security domain, such as email security, it not overly diluted by strong performance in other domains. The further a criteria or domain rating drops below that of other members of the population, the greater the weight it has on the overall calculation.
The starting weights employed to calculate domain ratings and the overall ratings are shown in the table below. It is important to remember that these are “base” weights, but not the actual weights because the use of geometric weighted mean can dynamically increase or decrease the weight of a given criteria or domain from the base starting point.
Security Domain |
Security Criteria |
Weight in Calculating Domain Rating |
Weight in Calculating Overall Rating |
Software Patching |
Application Servers OpenSSL CMS Web Servers Email Servers DNS Servers |
100% |
30% |
Application Security |
CMS Admin Authentication |
50% |
12.5% |
|
HTTP Security Headers |
50% |
|
|
Unencrypted Sensitive Communications |
INFO (will move to rated in Q4 2020) |
|
|
Links to Malicious Sites |
INFO |
|
Web Encryption |
Certificate Expiration Certificate Valid Date Hash Algorithm Key Length Encryption Protocols Certificate Subject |
100% |
12.5% |
System Reputation |
C2 Servers Botnet Hosts Hostile-Hosts: Hacking Hostile-Hosts: Scanning Phishing Sites Other Blacklisted Hosts Spamming Hosts |
See separate explanation |
7.5% |
Breach Events |
|
See separate explanation |
10% |
System Hosting |
Shared IP Hosting |
50% |
5% |
|
Hosting Fragmentation |
50% |
|
|
Hosting Countries |
INFO |
|
|
Hosting Providers |
INFO |
|
|
Hosting Domain Surface |
INFO |
|
|
Hostname Surface |
INFO |
|
Email Security |
Email Authentication (SPF/DKIM) |
50% |
6.25% |
|
Email Encryption |
50% |
|
DNS Security |
Domain Hijacking Protection |
100% |
6.25% |
|
DNS Hosting |
INFO |
|
Network Filtering |
Unsafe Network Services |
See separate explanation |
10% |
|
IOT Devices |
Conclusion
RiskRecon releases the new rating model in October 2020. In advance of the release, RiskRecon is working closely with customers to smoothly transition them to the new model.
RiskRecon produces cybersecurity risk ratings that enterprises can rely on to make better risk decisions faster. The new rating model produces ratings that reflect real-world cybersecurity risk management. It is simple – based on outside passive assessment, does the organization perform like a bank or better, indicating strong performance? Or does the organization rate more like a university, having very poor performance? RiskRecon ratings reveal the answer.
RiskRecon’s ratings are backed by continuous assessments of performance to tens of security criteria and thousands of underlying security checks. RiskRecon’s assessments are true risk-based assessments, with every issue risk prioritized based on issue severity and asset value. No other platform does this automatically and at the scale of RiskRecon.
You may also download our new white paper on the rating update here or feel free to request a product demonstration to gain a deeper understanding of how the new risk rating model can help you understand and act on third-party cyber risks.