- April 19, 2023: Launched.
- January 4, 2022: Launch date set.
- December 14, 2022: Detailed scope of changes.
This article explains all the changes to the Bitsight ratings algorithm that are part of the 2023 ratings algorithm update (RAU 2023). Refer to the frequently asked questions to learn why we update our ratings algorithm and how these changes might affect you.
Changes to the Bitsight Ratings Algorithm
RAU 2023 includes the following changes:
- Risk Vector Weights
- Rounding Method of Ratings and Risk Vector Grades
- Lifetime of Security Incidents/Breach
- Grading of Diligence Risk Vectors with No Findings
- Rating Drops Due to a Single Finding
Risk Vector Weights
The weight of a risk vector is how much the risk vector grade influences the overall Bitsight rating. Weight does not affect individual risk vector letter grades (A to F).
We adjust risk vector weights to better reflect the influence of each security domain in the overall posture of an organization. Learn why we update the ratings algorithm.
Seven risk vectors in the Diligence category are increasing in weight–most notably Patching Cadence. The remaining Diligence risk vectors are not changing weight. The weight of the Diligence risk category is increasing from 40% to 70.5%. The weight of the Compromised Systems category is decreasing from 50% to 27%, and the User Behavior category is decreasing from 10% to 2.5%.
The following table shows the risk vector weights before and after RAU 2023:
|Risk Category||Risk Vector||Current (before RAU 2023)||After RAU 2023|
|Botnet Infections||Risk vectors in the Compromised Systems category are weighted collectively as a category. Weights are not assigned to the individual risk vectors.|
|SPF Domains||1%||No change|
|DKIM Records||1%||No change|
|Open Ports||10%||No change|
|Web Application Headers||3%||5%|
|Server Software||2%||No change|
|Mobile Application Security||0%||No change|
|Domain Squatting||0%||No change|
|Exposed Credentials||0%||No change|
|Public Disclosures||No change. Public Disclosures may impact the Bitsight rating, but risk vectors in this category do not have a fixed weight.|
Rounding Method of Ratings and Risk Vector Grades
We improved our rounding method to reduce unexpected ratings changes and to address situations where rounding would lead to an excess drop. This change applies to all risk vectors.
Lifetime of Security Incidents/Breaches
Individual events in the Security Incidents/Breaches risk vector will no longer have any impact on ratings after two years. Currently (before RAU 2023), these events continue to have a tiny impact for a long time, which can affect companies with a near perfect risk vector grade. See How is the Security Incidents Risk Vector Assessed?
Grading of Diligence Risk Vectors with No Findings
In the updated algorithm (RAU 2023), Diligence risk vectors will keep their latest grade for up to 400 days if we are temporarily unable to collect data associated with the risk vector. Currently (before RAU 2023), when we temporarily are not able to re-find data about a specific asset, the risk vector grade changes to its default, which could lead to a significant rating change.
Rating Drops Due to a Single Finding
As part of the previous algorithm update (RAU 2021), we limited rating drops due to a single Open Ports finding. For RAU 2023, we will extend that rule to most of the other Diligence risk vectors. This limit now applies to Open Ports, TLS/SSL Configurations, TLS/SSL Certificates, SPF Domains, DKIM Records, Web Application Headers, Desktop Software, Mobile Software, and Server Software.