In this article:
On April 9, 2024, SecurityScorecard introduced Scoring 3.0, an updated methodology that tightens the correlation of scores to breach likelihood.
We introduced a preview of Scoring 3.0 on September 13, 2023, to help you prepare for the permanent changeover. During this introductory period, you were able to see your previous, official Scorecard score that reflects our previous methodology and compare it with your upcoming Scoring 3.0 score.
Please watch the video below or this webinar to understand how we developed our new scoring algorithm, what changes were made, and how it will benefit your organization.
When is this change happening?
The cutover to Scoring 3.0, occurred on April 9, 2024. To ensure that you have access to Scoring 3.0 within the platform on April 9, the deployment is strategically commenced on Monday, April 8 at 4pm ET. This timing helped minimize disruption to our valued users.
Upon logging into SecurityScorecard on Tuesday, April 9, you will observe that the toggled view is no longer available and your score will reflect the new Scoring 3.0 score.
As of Thursday, April 9, all areas of the platform have been updated to reflect the new scoring.
How 3.0 is different
The new methodology features several major changes:
- In 3.0, the overall Scorecard score directly reflects all the security issues that we discover on an organization's internet-facing assets. This differs from our current scoring methodology, where the overall Scorecard Score is a weighted average of 10 factor scores.
- Factors in 3.0 no longer have weights. They have numeric scores of 0 to 100. Issue types in 3.0 continue to have weights. This makes the scoring calculation process clearer and simpler to understand.
- Certain issue types have different severity levels and score impact in 3.0 compared to the current scoring methodology. Some are lower and some are higher See the Cybersecurity Signals in our scoring methodology white paper, where you can compare severity levels in both methodologies.
- Letter grades below A in 3.0 have greater correlations to breach likelihood:
Grade Breach likelihood in current methodology Breach likelihood
in 3.0A 1x 1x B 2.6x 2.9x C 4.3x 5.4x D 6x 9.2x F 7.7x 13.8x
How you can prepare for the changeover to 3.0
Depending on the issue findings on your Scorecard, your score may change significantly. Use the 3.0 preview to help you adjust your issue resolution priorities accordingly in advance of the April, 2024 changeover.
- Go to Issues tab in your Scorecard and turn on the the 3.0 preview.
- Compare the breach risk levels and score impacts for 3.0 and the current methodology.
Please take advantage of this free-trial offered in collaboration with one of our partners, Red Sift. Red Sift can help improve a company’s cybersecurity rating by proactively addressing SecurityScorecard issues that indicate unsafe behaviors and a high-likelihood of a breach.
Issue Type Severity Feedback
Please use this feedback mechanism on the issue type details page to provide feedback and drive future scoring decisions.
Threat Level:
Threat Level indicates the severity identified by SecurityScorecard threat experts as High, Medium, Low, or Info. These are based on their understanding of the threat and can be defined as below:
Issue | Impact | Action |
Info | Minimal or no impact, would likely not result in material loss | Monitor; Record for future reference |
Low | Minor impact, would likely not result in material loss | Review; Apply minor fixes |
Medium | Noticeable impact, would likely result in material loss | Investigate; Implement remedial actions |
High | Significant or severe impact, highly likely would result in material loss | Immediate investigation; Implement strong countermeasures |
Breach Risk:
Breach Risk indicates the level of seriousness based on our data-driven approach of correlation to breach. Our Data Science team assessed over 15,000 breaches to identify a correlation to breach and issue types. Based on that assessment, the issue types have levels of High, Medium, Low, or Info.
Based on the definitions above, we are gathering your feedback on whether the score impact should be high, low, or if it looks good. Your feedback is extremely valuable to us and your responses will be considered for future scoring recalibrations.
Find the below feedback mechanism in the details page of each issue type.
- My Scorecard view: You can view the issues and provide feedback on your own scorecard.
- Other’s Scorecard view: You can only view the issues on others' Scorecards.
Scoring 3.0 Recalibrations
Weights and breach risk levels of issue types are reviewed based on your feedback as we continue to improve and refine Scoring 3.0.
December 6, 2023
Issue Type | New Scoring 3.0 Level |
Website Copyright is current | INFO |
Unsafe implementation of Subresource integrity | LOW |
Cloud Provider Service Used | INFO |
Email exposed | MEDIUM |
Potential vulnerability detected | INFO |
Website does not implement X-XSS-Protection Best Practices | INFO |
Recommended Next Steps:
In the near future, we plan to apply substantial weights and breach risk levels to each of the CVSSv3 issue types. We encourage you to focus your efforts on remediating CVSSv3 issues in their current state. If these issues remain unresolved, you will see large score impacts in the next scoring 3.0 recalibration.
Recommended actions to improve your score
Follow these recommendations to begin improving your score.
FAQ
Why is SecurityScorecard updating the scoring methodology?
Changing the scoring algorithm improves breach predictability.
Additionally, the new methodology clarifies the scoring calculation process with a direct correlation between issue types and overall score.
We are committed to constantly improving our methodologies to accurately reflect the current, dynamic state of cybersecurity, so that our you can make the most informed decisions about how to manage your cyber risk.
How often do scoring algorithm changes occur?
Our scoring algorithm changes every three to four years.
How will Scoring 3.0 impact the score data on the History page?
When the full changeover to 3.0 happens in April 2024, the History page will start to show Scoring 3.0 data on the platform while retaining the historical data Scoring 2.0 data prior to the cutover.
What are the scanning frequencies for Scoring 3.0?
The frequencies is identical to those for the current methodology, and they varies depends on the issue type. See the Cybersecurity Signals in our scoring methodology white paper for frequencies.
Which of the two scores in the platform should I pay attention to ?
While remediating issue types will improve the score for both methodologies, the specific impact will be different depending on the breach risk level of that specific issue type.
If I resolve issue findings on my Scorecard, will both scores increase?
Yes, if you remediate issues on your Scorecard, both 3.0 scores will increase differently due to different issue breach risk levels.
Learn more
See our scoring methodology white paper for detailed information on how Scoring 3.0 works.