The Breach Susceptibility Indicator (BSI) is a data-driven predictor that assesses the likelihood of a security breach. The Breach Susceptibility Indicator assesses a company's security posture and the size of its digital footprint. It maximizes breach prediction by training on a hyperoptimized, non-linear model with carefully curated data. BSI is calculated daily, uses a different model than the top-level score, and reflects the security posture and digital footprint in ways that may not respond immediately to remediation.
How it works
The BSI uses a machine learning model that ingests all observed issue types for a domain over a 13-week (91-day) rolling window. Based on this data, it assigns one of the following breach susceptibility categories:
- Very Low
- Low
- Average
- High
- Very High
How the BSI performs
SecurityScorecard measures the predictive performance of the BSI using a lift chart that compares the breach rate for each BSI score decile against the average breach rate across all companies.
In the current model, companies in the highest-risk decile experience breaches at roughly 17 times the average rate. This represents an improvement over the prior model, in which the highest-risk decile reached about 13 times the average rate.
What the BSI considers
The BSI evaluates the size of a company's digital footprint alongside the security issues observed across its domains and IP addresses. For each issue type, the model uses both the raw observed value and a normalized z-score (relative to comparable IP and domain groupings), so it can weigh both absolute exposure and exposure relative to peers.
The model considers signals across the following areas:
- Network and infrastructure: digital footprint size (number of IP addresses), cloud provider services, exposed MySQL services, and use of GoDaddy infrastructure.
- Web and application security: domains missing HTTPS, weak TLS protocols, weak TLS ciphers, unsafe Content Security Policy (CSP), unsafe implementation of Subresource Integrity (SRI), incorrectly configured X-Content-Type-Options headers, and websites that emit browser console errors.
- Credential and data exposure: compromised credentials, historical compromised credentials, and exposed personal information.
The model also considers Common Weakness Enumeration (CWE) categories. A CWE is a category that groups related Common Vulnerabilities and Exposures (CVEs), and SecurityScorecard maps observed CVEs to their CWE categories using CVEDetails. The model includes 20 of the most breach-relevant CWE categories, which lets it account for the types of underlying weaknesses present in a company's environment rather than individual vulnerabilities alone.
Understanding the categories
The Breach Susceptibility categories indicate a domain’s relative likelihood of experiencing a security breach, based on patterns observed across similar domains.
A domain rated Very High does not imply that a breach is imminent. Rather, it indicates that the domain’s issue profile is highly correlated with those of domains that have experienced breaches in the past. Domains rated High or Average show progressively weaker correlations, while a Very Low rating indicates that the observed issue profile is least similar to those historically associated with breaches.
How the Breach Susceptibility Indicator compares to other metrics
The Breach Susceptibility Indicator is designed to complement other SecurityScorecard metrics. Understanding how it differs from the Security Score and MAX Incident Likelihood helps clarify when and how to use each metric.
Breach Susceptibility vs. Security Score
The Security Score is designed to fairly rate the presence and remediation of security and hygiene issues across organizations of different sizes. It updates immediately as issues are remediated, giving near-real-time feedback to your performance and that of your vendors in addressing issues as they are discovered.
The BSI, by contrast, is optimized solely for predictive accuracy. It is not constrained by size-fairness requirements and may account for issues that were recently remediated when their historical presence has been shown to correlate with future breach risk.
Breach Susceptibility Indicator vs. MAX Incident Likelihood assessment
The Breach Susceptibility Indicator and MAX Incident Likelihood assessment both estimate the likelihood of a security event, but they differ in scope, methodology, and actionability.
MAX Incident Likelihood assessments are based on indicators curated through Digital Forensics and Incident Response (DFIR) expertise, account for residual and nth-party supply chain risks, use the broader NIST definition of an incident, and weigh all indicators equally. They include a prioritized improvement plan, with issue resolution reflected in the rating after six months. This timeframe is intentional, emphasizing the importance of consistently maintaining good security practices. Prioritization is performed in collaboration with customers and vendors as part of the managed service, and the assessment is available exclusively in the MAX service.
The Breach Susceptibility Indicator, on the other hand, considers all issue types observed within the last 91 days for an organization on the SecurityScorecard platform and uses machine learning to determine the organization's overall likelihood of a breach. It updates daily, does not provide by-issue guidance, and is visible to all users.
As a result, the BSI is better suited for broad, directional risk analysis, while MAX Incident Likelihood assessments are more useful for identifying specific risk management requirements. Both metrics complement the Security Score by providing additional context on organizational risk.
How can I change my breach susceptibility rating?
The Breach Susceptibility Indicator is recalculated daily using a model distinct from that used for the Security Score. While remediating issues does not always produce immediate changes, reducing the number and severity of observed issues generally improves breach susceptibility over time.
Because the BSI considers historical patterns associated with breach events, sustained improvements in security posture are the most influential factor.