2024 Ratings Algorithm Update

The 2024 Ratings Algorithm Update (RAU) took place on July 10, 2024. It decreased the lifetime of remediated findings for the Patching Cadence risk vector from 300 days to 90 days. Patching Cadence findings stop impacting the rating 210 days sooner than with the previous algorithm.

The Patching Cadence risk vector remains otherwise unchanged and continues to constitute a 20% weight (out of the 70.5% Diligence risk category weight) towards the overall Bitsight rating.

About the Patching Cadence Lifetime

Patching Cadence measures how long, on average, known vulnerabilities remain unpatched. Once a vulnerability is detected to be patched, it begins to decay and lose its impact on the risk vector and overall rating over a period of time. The period after a Patching Cadence finding has been identified as remediated, but still impacts the rating, is called its “lifetime.”

Frequently Asked Questions

• Why is the ratings algorithm updated?
• How are Bitsight Security Ratings affected by an algorithm update?
• What are the 2024 Bitsight ratings algorithm changes?
• How are Bitsight Security Ratings affected by the 2024 rating algorithm update?
• How is Bitsight now able to shorten the Patching Cadence lifetime?

Why is the ratings algorithm updated?

We believe that continuous improvements in the correlation between the Bitsight Rating and negative security events, such as ransomware and cyber breaches, enable organizations to better manage the performance of cybersecurity controls inside their own organization and across their vendors’ ecosystems.

To make the Bitsight Security Rating more valuable, accurate, and actionable, we periodically update our ratings algorithm. We use internal and external research data to improve the correlation of the rating with real-world cybersecurity incidents and to better align the rating with the cyber threat landscape. These updates ensure that the Bitsight Security Rating is the best external indicator of the performance of cybersecurity controls.

Algorithm updates are a common practice across rating industries. Updates allow us to adapt as the cybersecurity landscape evolves. Currently, several forces affect the landscape and create additional cyber risk for every organization:

• The growing digital footprint of organizations, driven by recent investments in digital transformation.
• A rise in the scope and scale of cyber attacks.
• Increasing efforts by threat actors to monetize cyber attacks.
• Increasing oversight from capital markets and regulators.

Research studies conducted during 2021 and throughout 2022 provided a path for improving the correlation of the Bitsight Rating with cybersecurity incidents. We analyzed the correlation of the Bitsight rating and a subset of Bitsight risk vectors with ransomware incidents. In addition, an external study published by the Marsh McLennan Cyber Risk Analytics Center found 14 Bitsight analytics to be significantly correlated with cyber incidents. We update the rating algorithm to ensure that the rating continues to be the best possible external indicator of the performance of companies’ cybersecurity controls.

How are Bitsight Security Ratings affected by an algorithm update?

The Bitsight Rating is essentially a weighted average of the individual risk vector grades. This average combines the weights and grades for each of the risk vectors to determine the rating. The risk vectors with high grades improve your Bitsight rating, while the risk vectors with lower grades hurt your Bitsight rating. Likewise, risk vectors with greater weight have a greater influence on your Bitsight rating.

With this in mind, a change in the ratings algorithm can cause your Bitsight rating to drop for the following reasons:

• A change in the ratings algorithm decreases the weight of one of your higher-scoring risk vectors.
• A change in the ratings algorithm increases the weight of one of your lowest-scoring risk vectors.
• A change in the ratings algorithm lowers one or more of your risk vector grades.

In 2023, the rating algorithm was updated on how certain risk vectors are weighed in the overall rating calculation, as well as a few other changes (rounding, security incident/breach lifetime, grading Diligence risk vectors with insufficient data, and rating drops due to a single finding). These changes directly increased the Bitsight rating’s correlation with the likelihood of cybersecurity incidents.

What are the 2024 Bitsight ratings algorithm changes?

The Patching Cadence lifetime is shortened from 300 days to 90 days.

How are Bitsight Security Ratings affected by the 2024 rating algorithm update?

The 2024 RAU can be seen at three levels: findings, the Patching Cadence risk vector grade, and the overall Bitsight rating:

• Findings – This update cannot cause the number of Patching Cadence findings to increase and the update cannot impact individual finding grades.
  • The number of Patching Cadence findings is reduced for most companies.
  • There are no differences in the number of findings for others.
• Patching Cadence grade – Both risk vector grade increases and decreases are possible since the grade reflects an average time-to-patch across both remediated and unremediated findings. This update may increase, decrease, or have no impact on the Patching Cadence risk vector grade even if your company has fewer Patching Cadence findings with the update.
• Overall rating – If there is any change in the Patching Cadence grade, it impacts the overall Bitsight rating since this risk vector is responsible for 20% of the weight of the overall Bitsight rating. This may be an increase or decrease. Some companies may not experience any change.

How is Bitsight now able to shorten the Patching Cadence lifetime?

The Patching Cadence risk vector is a longitudinal measure, which indicates how long, on average, companies take to remediate detected vulnerabilities. For this reason, Patching Cadence’s lifetime is longer than the lifetimes of other Diligence risk vectors to ensure an accurate estimate of the mean remediation time of vulnerabilities. The window of time that we use to look at this performance is directly influenced by how much data is available to us. We aim to make this window as short as possible while retaining a high correlation between the Patching Cadence risk vector grade and a company’s likelihood of experiencing a negative outcome (e.g. breach).

Recent investments in proprietary vulnerability research capabilities have enabled Bitsight to increase the rate at which we detect and include CVEs (common vulnerabilities and exposures). We increased our vulnerability coverage by around 30% in 2023. This increase in coverage means that the algorithm’s correlation to breach remains strong despite the shorter lifetime period.