In this article:
The cybersecurity landscape continues to transform, reflecting the ever-changing spectrum of threats and an escalating number of breaches annually. SecurityScorecard is thrilled to announce the launch of Scoring 3.0 coming on April 9, 2024, an advancement that will revolutionize the way breach likelihood is assessed.
Breach Likelihood Defined
Central to the SecurityScorecard framework is the concept of "breach likelihood." This term is the gold standard in the security ratings industry, where organizations leverage objective assessments to evaluate their security posture. The scoring system, ranging from 'A' to 'F,' categorizes companies based on the number of assets and issues detected on their Scorecard. Notably, organizations with an 'F' score face a higher breach likelihood.
With Scoring 3.0, companies with an 'F' rating will be a staggering 13.8 times more likely to suffer a breach than those with an 'A' rating. The question we most commonly receive: how has SecurityScorecard arrived at such a precise breach likelihood?
Unveiling the 13.8x Breach Likelihood
Previously, the Total Score was derived from the weighted average of 10 Factor Scores, each shedding light on specific vulnerabilities grouped into different categories. However, Scoring 3.0 takes a leap forward by calculating the Total Score based on 200+ weighted issue types and the volume of corresponding findings.
Using 15,000 breaches in the last 4 years, our Data Science team led the analysis to assign a risk-based weight for every issue type, leading to "Breach Risk." Issue types with higher correlation for breach had a higher weight and issue types with lower correlation for breach resulted in lower weights.This dynamic, data-centric approach promises a more accurate reflection of breach likelihood through SecurityScorecard ratings using proven breach history correlated across +200 issue types.
Severity Levels Redefined
Critical to understanding Scoring 3.0 is the redefinition of severity levels. The severity column in the issues page is directly representative of 'Breach Risk,' clearly outlining the impact on an organization's score. Four distinct levels – High, Medium, Low, and Info – classify issue types based on their correlation with breach incidents:
- High: This issue type had significant correlation with breach
- Medium: This issue type had medium correlation with breach
- Low: This issue type had low correlation breach
- Info: This issue type had insignificant correlation with breach or the issue type weight will be updated at a later date
This granular classification provides organizations with a nuanced view of their security posture, empowering them to address vulnerabilities with a strategic focus.
The Scoring 3.0 View & Recommendations
We have enabled a toggle to view Scoring 3.0. When Scoring 3.0 is turned on, users gain visibility into their organization's score exclusively based on the gold standard of breach likelihood. This refined approach ensures that the scoring system aligns more closely with real-world breach scenarios, offering organizations a clearer understanding of their security standing.
Leading up to the official cutover of Scoring 3.0, we recommend you review issue types that have the biggest impact on your organization's score. Remediating issues in this preview will improve the score for both Scoring 2.0 and Scoring 3.0 depending on the weight of that specific issue type. This also requires continuous validation of your digital footprint, ensuring that your rating is as accurate as possible.
As we work toward the arrival of Scoring 3.0 in April 2024, SecurityScorecard continues to lead the charge in revolutionizing how breach likelihood is assessed. The result of data-driven insights and a redefined scoring algorithm positions Scoring 3.0 as a pivotal advancement in the world of security ratings.