Security Ratings

Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

Alex Campanelli | June 26, 2019

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics Stephanie Forrest and Benjamin Edwards, this paper highlights the research done to correlate security ratings with the incident of a breach. As such, the paper demonstrates how an organization’s security practices can be measured externally and how these practices can be linked to observed security problems. Using statistical analysis, the authors then study the correlation between risk vectors and botnet infections. The paper argues that this information is sufficient to assess the security maturity of an organization using only externally available information.

BitSight was founded in 2011 out of a research project to try and understand which objective and verifiable vectors were most correlated to the likelihood of a breach, and how their impact could be measured. Since that time we have consistently invested in delivering security ratings with the greatest depth and breadth to help organizations operating around the globe manage risk. This research validates that. 

We follow a rigorous, multi-month research and evaluation process for each new data source to qualify its accuracy and reliability. In addition to the data on compromised systems gleaned from our proprietary sinkholing infrastructure — regarded as the largest in the world, our team also develops strategic partnerships with global data providers to increase the diversity of perspectives that inform corporate, industrial, and sovereign security risk.

BitSight is committed to providing ratings that leverage objective data, as covered in this research paper. In order to accomplish this, we have invested in the right technology, process and people to ensure that the ratings available in our security ratings platform are, without a doubt, the best and most accurate in the industry.

Read "Risky Business: Assessing Security with External Measurements" here.

Suggested Posts

Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial ecosystem...


Financial services in Asia Pac face regulatory driven scrutiny of cyber risk management

The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.


Control and Accountability: The New Watchwords for Regulatory Compliance

The regulatory environment is evolving rapidly as national and international regulatory bodies attempt to keep pace with changing business models, technology infrastructure and continuously escalating cyberthreats. 


CISOs have a tough job.

How can they gain buy-in to improve security program effectiveness?

Read The Guide

Subscribe to get security news and updates in your inbox.