Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics Stephanie Forrest and Benjamin Edwards, this paper highlights the research done to correlate security ratings with the incident of a breach. As such, the paper demonstrates how an organization’s security practices can be measured externally and how these practices can be linked to observed security problems. Using statistical analysis, the authors then study the correlation between risk vectors and botnet infections. The paper argues that this information is sufficient to assess the security maturity of an organization using only externally available information.

BitSight was founded in 2011 out of a research project to try and understand which objective and verifiable vectors were most correlated to the likelihood of a breach, and how their impact could be measured. Since that time we have consistently invested in delivering security ratings with the greatest depth and breadth to help organizations operating around the globe manage risk. This research validates that.

We follow a rigorous, multi-month research and evaluation process for each new data source to qualify its accuracy and reliability. In addition to the data on compromised systems gleaned from our proprietary sinkholing infrastructure — regarded as the largest in the world, our team also develops strategic partnerships with global data providers to increase the diversity of perspectives that inform corporate, industrial, and sovereign security risk.

BitSight is committed to providing ratings that leverage objective data, as covered in this research paper. In order to accomplish this, we have invested in the right technology, process and people to ensure that the ratings available in our security ratings platform are, without a doubt, the best and most accurate in the industry.

Read "Risky Business: Assessing Security with External Measurements" here.