In October 2020, we will be releasing an update to our cybersecurity risk rating model founded on our platform's unique ability to automatically assess cybersecurity risk performance. As we continue our blog series discussing this upcoming ratings model release, this post will dive into the methodology around the update to our cybersecurity risk ratings model. 

RiskRecon continuously monitors the cybersecurity risk performance of enterprises through open-source intelligence assessment techniques. All system discovery and security analytics are passive, based on the collection and analytics of publicly available data. Through this approach, RiskRecon continuously monitors the cybersecurity risk of tens of thousands of companies. RiskRecon ensures the accuracy of its assessment by operating its own system discovery through proprietary processes and algorithms. RiskRecon collects most of its security signals through direct observation, not relying on providers for which RiskRecon cannot optimize accuracy and scale. RiskRecon’s accuracy incorrectly attributing system ownership is independently certified to 98.5% accurate.

RiskRecon Rating Model Methodology

Discover Systems

RiskRecon maintains a continuous inventory of the enterprise internet surface, discovering systems using supervised machine learning algorithms that mine enterprise systems from the internet through an examination of data collected from analysis of global domain and netblock registration databases, internet crawling, and subsidiary analytics. RiskRecon system ownership attribution is independently certified at 98.5% accuracy.

Assess Cybersecurity

RiskRecon continuously assesses cybersecurity performance using non-invasive techniques across nine security domains built on approximately 40 criteria that assess systems against thousands of security checks and monitors the larger enterprise for malicious activity and breach events. RiskRecon assesses performance to most criteria through direct observation using its own data collection and analytics, enabling strong control of assessment scope and accuracy. RiskRecon engages highly reputable providers for malicious activity and unsafe network services signals.

Assess Value at Risk

Determining the value at risk of a system is essential to assessing risk. Without it, one is limited to assessing systems for the presence of issues, but not risk. Assessing risk requires knowing the value at risk should a security breach occur. RiskRecon automatically and continuously determines the value at risk of each system through machine learning analytics of system code, content, and configurations. For example, RiskRecon can identify systems that require user authentication or that collect other sensitive data such as names, email addresses, and credit card numbers. Similarly, RiskRecon can identify systems that are simply domain parking websites and brochure sites.

Produce Risk Assessment

Combining and analyzing the data collected through the system discovery, security assessment, and value at risk analytics, RiskRecon produces a robust risk assessment. RiskRecon assessments contain summary insights that highlight areas of strength and the key areas of weakness and related issues that expose the organization to the greatest risk. The assessments provide full details of the IT profile, the security issues, and related risk context and risk priority. RiskRecon maps assessment results to 12 industry security standards, enabling automated compliance assessment.

                                         RiskRecon Rating Model Company Overview                   RiskRecon Rating Model - Security Profile Summary

RiskRecon Rating Model - Security Profile Detail

Subscribe to our blog to get notified when Part II of this blog post launches next! You may also download our new white paper on the rating update here or feel free to request a product demonstration to gain a deeper understanding of how the new risk rating model can help you understand and act on third-party cyber risks.