Security Ratings

Research Paper Validates Security Ratings’ Correlation to Likelihood of Breach

Alex Campanelli | June 26, 2019

This spring, the research paper titled “Risky Business: Assessing Security with External Measurements” was published on Cornell’s academic resource site. Authored by former BitSight data scientist, Jay Jacobs, as well as fellow academics Stephanie Forrest and Benjamin Edwards, this paper highlights the research done to correlate security ratings with the incident of a breach. As such, the paper demonstrates how an organization’s security practices can be measured externally and how these practices can be linked to observed security problems. Using statistical analysis, the authors then study the correlation between risk vectors and botnet infections. The paper argues that this information is sufficient to assess the security maturity of an organization using only externally available information.

BitSight was founded in 2011 out of a research project to try and understand which objective and verifiable vectors were most correlated to the likelihood of a breach, and how their impact could be measured. Since that time we have consistently invested in delivering security ratings with the greatest depth and breadth to help organizations operating around the globe manage risk. This research validates that. 

We follow a rigorous, multi-month research and evaluation process for each new data source to qualify its accuracy and reliability. In addition to the data on compromised systems gleaned from our proprietary sinkholing infrastructure — regarded as the largest in the world, our team also develops strategic partnerships with global data providers to increase the diversity of perspectives that inform corporate, industrial, and sovereign security risk.

BitSight is committed to providing ratings that leverage objective data, as covered in this research paper. In order to accomplish this, we have invested in the right technology, process and people to ensure that the ratings available in our security ratings platform are, without a doubt, the best and most accurate in the industry.

Read "Risky Business: Assessing Security with External Measurements" here.

Suggested Posts

Use the right cybersecurity analytics to make a business case for risk management

Not long ago, corporate executives would give only passing thoughts to their organization’s cybersecurity postures. Leadership and board members would take notice in the wake of a major data breach, for example, or a couple of times a year...

READ MORE »

A response to Security Ratings - Love, Loathe or Live With Them

A week ago (which seems like a world ago given everything that’s happened with SolarWinds) Phil Venables -- formerly CISO of Goldman Sachs and now CISO of Google Cloud -- posted an interesting expose on security ratings this week. Phil has...

READ MORE »

Content Security Policy Limits Dangerous Activity… So Why Isn’t Everyone Doing It?

Online services, e-commerce sites, videoconference, delivery services, and all other kinds of services are growing exponentially, exposing users and data to new risks and threats.  Users expect that the sites and services they rely on are...

READ MORE »

Subscribe to get security news and updates in your inbox.