In this article:
What is a scoring update?
Periodically, readjustments of scoring algorithms need to take place. SecurityScorecard’s scoring model is a continuous measure of the typical number of findings for an organization versus their digital footprint size. The score is developed based on how many standard deviations an organization is better or worse than the average number of findings for an organization of a particular size. SecurityScorecard takes into account that the expected amount of findings for similarly-sized companies changes. When SecurityScorecard has a scoring update this means a recalibration will occur and the baseline that organizations are scored against is updated.
Why is this important?
By keeping the average up to date, SecurityScorecard provides customers with scores that continuously reflect the true nature of the cybersecurity landscape. This prevents scores from drifting over time as the number of findings on the internet moves away from the historical baseline.
Additionally, our scoring update allows us to add new issue types, retire old ones, and re-weight the severity of issues that make scores more predictive of negative outcomes such as breaches and malware.
How is this going to impact my company?
Several weeks before the scoring update occurs, SecurityScorecard will give you a directionally accurate score on the platform, so you have the right information to take appropriate action. In addition to recalibrating, we may add new issues and information. For example, in the April 2020 recalibration, we added new CVEs to Patching Cadence and updating the list of expired web browsers and operating systems in Endpoint Security. These additions had a scoring impact on organizations.
Why did my score increase/decrease?
Increase
If your organization has fewer issues than what is typical for your digital footprint size, then your score will increase.
Decrease
If your organization has more issues than what is typical for your digital footprint size, then your score will decrease. Additionally, when new issues and information are added, there might be an impact on your score. For example, in the April 2020 scoring update if your organization had any of the added CVEs or any of the expired web browsers or operating systems, then your score dropped.
Is the scoring update going to impact my portfolios?
Yes, most organizations will experience some sort of score impact, positive or negative. This means the average score of your portfolios, the reports, analytics, and other features based on portfolio scores might change.
How am I being notified when there is a change?
Users will be notified with in-platform banners. A mouseover of the scoring update icon under your score on your scorecard page will also have information. Additionally, icons in the History Tab and Issue Level Event Log will indicate score changes due to monthly scoring updates
Why don’t I see a platform banner?
There are three possibilities:
-
Your organization is projected to not experience a score change for the upcoming recalibration.
-
The scoring update banners have not been enabled yet.
-
You have already dismissed the banner.
How do I prepare for this internally and with my vendors?
There are multiple ways to prepare for the scoring update.
You can request multiple reports to learn more information from the “Download Reports” link on the banner and mouseover of your score. With this link, users can easily access three reports:
-
Score Differences
-
Score Impact Changes
-
New Findings
Please note the reports have a 500-row limit. Please reach out to your Customer Success Manager (CSM) or support@securityscorecard.com if your report is over 500 rows.
Is the scoring algorithm/methodology changing?
No, our scoring framework is staying the same. Scoring compares the number of findings on your company to the average for similarly sized companies. Recalibration is updating the average. At its core, our scoring algorithm is staying the same.
What is the frequency of scoring updates?
Scoring updates (recalibration) occur on the 3rd week of every month. We still run scores daily.
Why are you telling me now?
SecurityScorecard is committed to providing transparency to our customers and prospects. We truly believe that building trust involves being transparent about our scoring methodology, the data that drives our scores, and now our calibration cadence. We built the industry’s first Trust Portal, for anyone to access and learn about the data that drives our technology. By providing information in advance, customers can be prepared.
Why does my projected score keep changing in platform notifications?
SecurityScorecard updates our scores daily to account for changes in digital footprints and issue counts found for an organization. The projected score, like the platform score, is calculated using the latest findings and digital footprint and may change.
Can you provide us what the approximate score change will be from the scoring update?
While we cannot provide exact score changes, our data science team has worked hard to provide directionally accurate score impacts before each scoring update. Each day, the score impact in the platform banner and icon (mentioned above) represents what the score change would be if we were to change the calibration on that day. Additionally, you can download reports of the following information on the platform:
-
Factor Score Changes
-
Score Impacts For Issues
-
New Findings
For a report on the overall change in your portfolio, please reach out to your CSM or support@securityscorecard.com.
How will I know if new signals are added, old signals are retired, or risk factors are reweighted?
You can access this information in the scoring update release notes in the Knowledge Base.
Who is determining the score change?
The score change is an outcome of our scoring algorithm and recalibration. Our data science team of PhDs is continuously working to determine the best calibration cadence for our customers.
Was my score fair and accurate before?
Yes, your scores were fair and accurate based on the best available data. We are always improving our scores by updating the averages and collecting new data to reflect the cybersecurity landscape.
Is my Score Linear or Non-Linear?
The score is a non-linear weighting function which gives greater emphasis to low factor scores. The rationale is that in a security context, “a chain is only as strong as its weakest link”. Giving greater weights to low factor scores helps pull down the total score when the entity has low factor scores, reflecting a degraded overall security posture.
The total score calculation is non-linear and is not equal to sum of all measurement score impacts. It is described in https://securityscorecard.pathfactory.com/c/securityscorecard-sc?x=VO3MOH on page 21.
Who can I contact for more information?
For any questions and comments, please reach out to your Customer Success Manager or email support@securityscorecard.com.