In this article:
In April, 2024, SecurityScorecard will apply Scoring 3.0, an updated methodology that tightens the correlation of scores to breach likelihood.
We introduced a preview of Scoring 3.0 on September 13, 2023, to help you prepare for the permanent changeover. During this introductory period, you will continue to see your current, official Scorecard score that reflects our current methodology and compare it with your upcoming Scoring 3.0 score.
How 3.0 is different
The new methodology features several major changes:
- In 3.0, the overall Scorecard score directly reflects all the security issues that we discover on an organization's internet-facing assets. This differs from our current scoring methodology, where the overall Scorecard Score is a weighted average of 10 factor scores.
- Factors in 3.0 no longer have weights. They have numeric scores of 0 to 100. Issue types in 3.0 continue to have weights. This makes the scoring calculation process clearer and simpler to understand.
- Certain issue types have different severity levels and score impact in 3.0 compared to the current scoring methodology. Some are lower and some are higher See the Cybersecurity Signals in our scoring methodology white paper, where you can compare severity levels in both methodologies.
- Letter grades below A in 3.0 have greater correlations to breach likelihood:
Grade Breach likelihood in current methodology Breach likelihood
in 3.0A 1x 1x B 2.6x 2.9x C 4.3x 5.4x D 6x 9.2x F 7.7x 13.8x
How you can prepare for the changeover to 3.0
Depending on the issue findings on your Scorecard, your score may change significantly. Use the 3.0 preview to help you adjust your issue resolution priorities accordingly in advance of the April, 2024 changeover.
- Go to Issues tab in your Scorecard and turn on the the 3.0 preview.
- Compare the severity levels and score impacts for 3.0 and the current methodology.
FAQ
Why is SecurityScorecard updating the scoring methodology?
Changing the scoring algorithm improves breach predictability.
Additionally, the new methodology clarifies the scoring calculation process with a direct correlation between issue types and overall score.
We are committed to constantly improving our methodologies to accurately reflect the current, dynamic state of cybersecurity, so that our you can make the most informed decisions about how to manage your cyber risk.
How often do scoring algorithm changes occur?
Our scoring algorithm changes every three to four years.
How will Scoring 3.0 impact the score data on the History page?
When the full changeover to 3.0 happens in April 2024, the History page will include historical data reflecting Scoring 3.0. Currently, it does not.
What are the scanning frequencies for Scoring 3.0?
The frequencies is identical to those for the current methodology, and they varies depends on the issue type. See the Cybersecurity Signals in our scoring methodology white paper for frequencies.
Which of the two scores in the platform should I pay attention to ?
While remediating issue types will improve the score for both methodologies, the specific impact will be different depending on the severity level of that specific issue type.
If I resolve issue findings on my Scorecard, will both scores increase?
Yes, if you remediate issues on your Scorecard, both 3.0 scores will increase differently due to different issue severity levels.
Learn more
See our scoring methodology white paper for detailed information on how Scoring 3.0 works.