Your Scorecard rating reflects your organization's security posture and is an objective, data-driven, and quantifiable measure of its overall cybersecurity performance. Your letter grade (A through F) and the numeric score to which the grade is mapped (100 through 0) correspond to the likelihood of your organization sustaining a breach.
Scorecard ratings help organizations manage internal and third-party cyber risk. Some of the top benefits of these ratings include :
- Continuously monitoring the cyberhealth of your entire ecosystem
- Gaining insight into the cyber posture and security practices of your organization and partner organizations
- Accelerating business opportunities and partnerships
- Providing security assurance to existing and potential customers
- Realizing enhanced data protection
- Benchmarking security progress and comparing to industry performance
- Providing transparency to organizational stakeholders
The lower the score, the greater the likelihood. An organization with an F grade (score of 60 or lower) is statistically 13.8 times more likely to sustain a breach than an organization with an A (score of 90 to 100).
For details on how our scoring works, see our Scoring Methodology Whitepaper.
Issues: The main components of your scores
Your score shows the security issues we find in your organization's internet-facing assets, along with other factors in our scoring methodology.
Issue types
We discover security issues in your exposed network assets during our recurring internet scans. You can view these on the Issues tab of your Scorecard. Each issue type may include multiple findings on your Scorecard, or instances where we observed the issue, for example, on different IP addresses.
Each of these issue types has a High, Medium, or Low severity level, which reflects the degree of risk to your organization.
These severity levels, in turn, have varying weights, or degrees of negative impact on your score, from High (greatest impact) to Low (least impact).
Note: Some issue types do not impact your score. Positive issues highlight healthy security practices that can mitigate risk. Informational issue types identify areas of risk worth inspection. Over time, we may assign score-impacting severity levels to certain Informational issue types, as noted in our scoring updates.
Factors
Every issue type that appears on your Scorecard is grouped within one of 10 factors, including Network Security, DNS Health, Patching Cadence, Endpoint Security, IP Reputation, Application Security, Cubit Score, Hacker Chatter, Information Leak, and Social Engineering. These are the categories of cyber risk and protection that SecurityScorecard uses to assess and score your organization’s security resilience. Each factor has a numerical score that reflects the severity or risk it contributes to the overall cybersecurity posture.
Factor score calculation is based on the severity and quantity of issues or findings associated with the factor.
Operations that contribute to the calculation of your scores
The calculation of scores follows, and is informed by, a sequence of three major operations that produce the issue findings in your Scorecard.
- Signal collection
- Attribution
- Signal analysis
Signal collection
We scan the entire IPv4 web space, more than 3.9 billion routable IP addresses, every 10 days across more than 1,400 ports.
Note: We scan cloud assets multiple times daily because they change ownership so frequently.
Our in-house global internet scanning framework collects all the information that threat actors would see as they search for attack targets:
- IP addresses
- Exposed port mappings
- Fingerprints of services, products, libraries, operating systems, devices, and other internet-exposed resources, including version numbers
- Common Platform Enumeration (CPE) IDs
- Common Vulnerability Enumeration (CVE) Version 2 IDs
- Script output from Nmap, the open-source scanner that is one of the components of our own scanning framework.
Additionally, we monitor signals across the internet using a network of sensors spanning three continents. We operate one of the world’s largest networks of sinkholes and honeypots to capture malware signals and further enrich our dataset by leveraging commercial and open-source intelligence.
We supplement our data collection with external feeds from public and commercial data sources. These additional data-gathering methods help produce issue types related to leaked data.
Attribution
At this stage, we associate the collected signals with IPs or related domains, then match them to an organization based on its digital footprint. We use a number of reliable sources, such as DNS lookups, to make attribution as accurate as possible.
We also encourage you to validate these attributions by claiming and refuting assets, and by adding them to the digital footprint.
Analysis of signals
We used a suite of analytics tools developed by our threat researchers, data scientists, and engineers to derive issue findings and other key insights from the signals we collect. Examples of analysis include:
- Identification of malware strains and characterization of their behavior and threat level
- Identification of CVEs and other vulnerabilities based on examination of digital asset identification in HTTP header data, website code bases, communication protocols, secure socket layer (SSL) certifications, and more
We also apply machine-learning algorithms to improve the quality and accuracy of security findings and provide key insights on security posture.
Our scoring methodology
Issue types are primary components of your score calculation, but other important considerations and adjustments help ensure that the calculation is as fair and accurate as possible.
Size normalization
A small or mid-size organization has fewer IPs than a large enterprise, so it has fewer issue types. That does not mean it is more secure than the enterprise.
Our scoring methodology uses a logarithmic scale, where each increment corresponds to a multiple of 10. Richter and decibel scales are based on similar approaches. For each issue type, we generate scatter plots in which each organization we score (more than 12 million) is represented as a point, showing how the number of occurrences of a given issue varies with organization size.
For example, one organization has three findings for the DNS open resolver issue type. Based on our analysis of more than 12 million organizations, only 12 percent of organizations of comparable size have this security flaw. And among those organizations, the average number of findings is 2, while this organization has 3, which is worse than average.
Calibration
We apply a calibration algorithm to each scored issue type, using two months of collected data to smooth out statistical fluctuations. This ensures fair performance comparisons for organizations of similar size.
Calculation of issue, factor, and overall scores
We calculate scores for issues using a modified "z-score”, where z = 0 if no findings are present, while z = 1 when the number of findings equals the mean for organizations with the same size Digital Footprint.
To calculate each factor score, we first compute the raw total score by summing the z-scores for issue findings, each multiplied by its weight.
After calculating the raw total score, we scale it based on the expected distribution of issue-finding counts. We want to fairly score an organization by comparing it to others with similar Digital Footprint sizes. Informational and positive issues do not contribute to the score.
Breach penalties
For the scoring impact of breach penalties, see Understand how breaches affect your score.
Updates and recalibrations
We update factor and total scores daily. We also calculate and update modified z-scores daily for every organization and issue type on the SecurityScorecard platform. This ensures inherently low score volatility. If an organization's digital footprint and issue counts remain stable, its security score will remain unchanged.
Additionally, SecurityScorecard recalibrates its scoring algorithm every quarter.
We maintain a regular scoring update cadence to keep cybersecurity risk ratings fair in a dynamic threat environment and to introduce new issue types as needed, so you stay better informed about threats to your organization and vendor ecosystem.
Validation
SecurityScorecard’s scoring algorithm has passed rigorous internal verification and validation testing, in which we determine whether its outputs conform to the inputs. We subject the algorithm to a battery of statistical tests, including edge cases, to verify its accuracy and stability.
This testing determines whether the scoring algorithm meets its intended use as a cybersecurity risk assessment tool, i.e., whether low scores correlate with a higher likelihood of an adverse event.