Security Ratings

Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

Alex Campanelli | June 26, 2019

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics Stephanie Forrest and Benjamin Edwards, this paper highlights the research done to correlate security ratings with the incident of a breach. As such, the paper demonstrates how an organization’s security practices can be measured externally and how these practices can be linked to observed security problems. Using statistical analysis, the authors then study the correlation between risk vectors and botnet infections. The paper argues that this information is sufficient to assess the security maturity of an organization using only externally available information.

BitSight was founded in 2011 out of a research project to try and understand which objective and verifiable vectors were most correlated to the likelihood of a breach, and how their impact could be measured. Since that time we have consistently invested in delivering security ratings with the greatest depth and breadth to help organizations operating around the globe manage risk. This research validates that. 

We follow a rigorous, multi-month research and evaluation process for each new data source to qualify its accuracy and reliability. In addition to the data on compromised systems gleaned from our proprietary sinkholing infrastructure — regarded as the largest in the world, our team also develops strategic partnerships with global data providers to increase the diversity of perspectives that inform corporate, industrial, and sovereign security risk.

BitSight is committed to providing ratings that leverage objective data, as covered in this research paper. In order to accomplish this, we have invested in the right technology, process and people to ensure that the ratings available in our security ratings platform are, without a doubt, the best and most accurate in the industry.

Read "Risky Business: Assessing Security with External Measurements" here.

Suggested Posts

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...


Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


Do You Need to Create Segmented Networks to Protect Critical Assets?

Network segmentation — the act of dividing a network into multiple smaller, isolated networks that are not visible from the outside — has long been used to reduce cyber risk. At its core, segmentation assumes a “zero trust” approach to...


Subscribe to get security news and updates in your inbox.