Today we are announcing updates to the Bitsight ratings algorithm. Bitsight is committed to creating the most meaningful, trustworthy, and actionable security ratings and analytics in the marketplace. As part of this commitment, we periodically make updates to our ratings algorithm based on new data observations and capabilities, internal and external research, and market feedback.
For this year’s update, we have made several adjustments, including modifying the weights of several risk vectors. We believe these adjustments will continue to provide Bitsight users the best external indicator of the performance of cybersecurity controls.
In this blog, we take a deeper look at what changed and why.
Why do organizations need cybersecurity ratings and analytics?
Today we are seeing waves of change constantly disrupting cybersecurity stability, as digital infrastructures keep expanding, work models evolve, and businesses are increasingly digitally intertwined. With more people and locations expanding the attack surface and exposure to more sophisticated bad actors, this instability will only get worse and increase the number and complexity of cybersecurity challenges to organizations.
Cyber risk is now a global issue and erodes trust across interconnected global markets, limiting opportunities, creating business disruption and financial loss, damaging brand reputation, and leaving capital markets in the dark. Bitsight’s ratings and analytics help organizations answer today’s toughest cyber risk questions: Are we correctly prioritizing spend to reduce our cyber risk? How do we compare to our peers? How much risk do we want to take on?
To enable our customers to make informed business decisions about cyber risk, Bitsight provides ratings and analytics that are empirical, objective, and strongly correlated with outcomes (including security incidents).
What is the Bitsight Ratings Algorithm?
The Bitsight ratings algorithm is the methodology and parameters we use to calculate the Bitsight Security Rating. Our algorithm supports trustworthy, data-driven, and dynamic measurements of organizational cybersecurity performance derived from objective, verifiable information that helps teams understand their security performance and that of their vendors.
Organizations around the world leverage the Bitsight Security Rating as a universal metric to interpret cyber risk and expand their ecosystems without worrying about expanded attack surfaces. This is achieved by mapping signals to internal and external entities that are relevant to the business, and interpreting them to assess cyber risk, processing data into meaningful insights.
We are proud to empower our customers with unparalleled insights, and we are confident that this ratings algorithm update will make the Bitsight Security Rating even more vital for making data-driven decisions.
How does Bitsight decide what to update?
To make the Bitsight Security Rating more valuable and actionable, we periodically update our ratings algorithm. We use internal and external research data to improve the correlation of the rating with real-world cybersecurity incidents and to better align the rating with the cyber threat landscape.
As the cybersecurity and threat landscapes evolve, we perform research on which risk factors appear to have the greatest correlation with negative outcomes. Updates to the algorithm reflect this research and go through a rigorous process of research, testing, and validation.
We follow a detailed process whenever we update our ratings algorithm, and changes are reviewed by our Policy Review Board to confirm that they adhere to our principles and policies. Additionally, it is important to note that we always provide a preview of the changes to our users (and what the likely impact on their ratings will be), well before they affect live ratings.
What’s new in the latest Bitsight ratings algorithm update?
This update changes the weight of multiple risk vectors, including a large increase in the weight of the Patching Cadence vector. The update also includes changes that will reduce the volatility of small entity ratings and will make the algorithm easier to understand.
The changes occur primarily in the following categories:
- Risk Vector Weights
- Rounding Method of Ratings and Risk Vector Grades
- Lifetime of Security Incidents/Breaches
- Grading of Diligence Risk Vectors with No Findings
- Rating Drops Due to a Single Finding
Risk vector weights
We adjusted risk vector weights to better reflect the relevance of each security domain in the overall security posture of organizations.
Seven risk vectors in the Diligence category are increasing in weight—most notably Patching Cadence (the time between patches becoming available and patches being implemented). The weight of the Diligence risk category is significantly increasing. On the contrary, the weight of the Compromised Systems category and the User Behavior category are decreasing.
This rebalanced weighting aligns with internal and external research studies on ransomware and cybersecurity incidents. Research studies conducted during 2021 and 2022 provided a path for improving the correlation of the Bitsight Security Rating with cybersecurity incidents. We analyzed the correlation of the Bitsight Security Rating and a subset of Bitsight risk vectors with ransomware incidents. We found that organizations with a rating lower than 600 are 6.4 times--and organizations with a rating between 600 and 650 are 4.6 times– more likely to be a ransomware victim, compared to the benchmark of organizations with a 750+ rating. In addition, an external study published by the Marsh McLennan Cyber Risk Analytics Center found 14 Bitsight analytics to be significantly correlated with cyber incidents.
Rounding method of ratings and risk vector grades
We improved our rounding method to reduce unexpected ratings changes and to address situations where rounding would lead to an excess drop. This change applies to all risk vectors.
Lifetime of security incidents/breaches
Individual events in the Security Incidents/Breaches risk vector will no longer have any impact on ratings after the end of their lifetime. Before this update, these events would continue to have a small impact for a long time, which could affect companies with a near perfect risk vector grade.
Grading of diligence risk vectors with no findings
Prior to this update, the Diligence risk vector grades would change to their default when we were temporarily unable to re-find data about a specific asset, which could lead to a significant rating change. Now, Diligence risk vectors will keep their most recent grade for longer if we are temporarily unable to collect data associated with the risk vector.
Rating drops due to a single finding
As part of the previous algorithm update in 2021, we limited rating drops due to a single Open Ports finding. Now, we will extend that rule to most of the other Diligence risk vectors.
This limit now applies to:
- Open Ports
- TLS/SSL Configurations
- TLS/SSL Certificates
- SPF Domains
- DKIM Records
- Web Application Headers
- Desktop Software
- Mobile Software
- Server Software
Learn more about the Bitsight Security Rating
If you would like to learn more about your organization’s Bitsight Security Rating or to read more about our methodology, visit our Trust and Transparency page.