- Why is the ratings algorithm updated?
- How are Bitsight Security Ratings affected by an algorithm update?
- What are the 2024 Bitsight ratings algorithm changes?
- How will my rating change when the ratings algorithm is updated?
- How is Bitsight now able to shorten the Patching Cadence lifetime?
- How should I prepare for the changes to the algorithm?
Why is the ratings algorithm updated?
We believe that continuous improvements in the correlation between the Bitsight Rating and negative security events, such as ransomware and cyber breaches, enable organizations to better manage the performance of cybersecurity controls inside their own organization and across their vendors’ ecosystems.
To make the Bitsight Security Rating more valuable, accurate, and actionable, we periodically update our ratings algorithm. We use internal and external research data to improve the correlation of the rating with real-world cybersecurity incidents and to better align the rating with the cyber threat landscape. These updates ensure that the Bitsight Security Rating is the best external indicator of the performance of cybersecurity controls.
Algorithm updates are a common practice across rating industries. Updates allow us to adapt as the cybersecurity landscape evolves. Currently, several forces affect the landscape and create additional cyber risk for every organization:
- The growing digital footprint of organizations, driven by recent investments in digital transformation.
- A rise in the scope and scale of cyber attacks.
- Increasing efforts by threat actors to monetize cyber attacks.
- Increasing oversight from capital markets and regulators.
Research studies conducted during 2021 and throughout 2022 provided a path for improving the correlation of the Bitsight Rating with cybersecurity incidents. We analyzed the correlation of the Bitsight rating and a subset of Bitsight risk vectors with ransomware incidents. In addition, an external study published by the Marsh McLennan Cyber Risk Analytics Center found 14 Bitsight analytics to be significantly correlated with cyber incidents. We update the rating algorithm to ensure that the rating continues to be the best possible external indicator of the performance of companies’ cybersecurity controls.
How are Bitsight Security Ratings affected by an algorithm update?
The Bitsight Rating is essentially a weighted average of the individual risk vector grades. This average combines the weights and grades for each of the risk vectors to determine the rating. The risk vectors with high grades improve your Bitsight rating, while the risk vectors with lower grades hurt your Bitsight rating. Likewise, risk vectors with greater weight have a greater influence on your Bitsight rating.
With this in mind, a change in the ratings algorithm can cause your Bitsight rating to drop for the following reasons:
- A change in the ratings algorithm decreases the weight of one of your higher-scoring risk vectors.
- A change in the ratings algorithm increases the weight of one of your lowest-scoring risk vectors.
- A change in the ratings algorithm lowers one or more of your risk vector grades.
In 2023, the rating algorithm was updated on how certain risk vectors are weighed in the overall rating calculation, as well as a few other changes (rounding, security incident/breach lifetime, grading Diligence risk vectors with no findings, and rating drops due to a single finding). These changes directly increased the Bitsight rating’s correlation with the likelihood of cybersecurity incidents.
What are the 2024 Bitsight ratings algorithm changes?
The Patching Cadence lifetime is shortened from 300 days to 90 days.
How will my rating change when the ratings algorithm is updated?
The 2024 RAU will potentially be seen at three levels: findings, the Patching Cadence risk vector grade, and the overall Bitsight rating:
Findings – This update cannot cause the number of Patching Cadence findings to increase and the update cannot impact individual finding grades.
- The number of Patching Cadence findings is reduced for most companies.
- There are no differences in the number of findings for others.
- Patching Cadence grade – Both risk vector grade increases and decreases are possible since the grade reflects an average time-to-patch across both remediated and unremediated findings. This update may increase, decrease, or have no impact on the Patching Cadence risk vector grade even if your company has fewer Patching Cadence findings with the update.
- Overall rating – If there is any change in the Patching Cadence grade, it will impact the overall Bitsight rating since this risk vector is responsible for 20% of the weight of the overall Bitsight rating. This may be an increase or decrease. Some companies will experience no change.
How is Bitsight now able to shorten the Patching Cadence lifetime?
The Patching Cadence risk vector is a longitudinal measure, which indicates how long, on average, companies take to remediate detected vulnerabilities. For this reason, Patching Cadence’s lifetime is longer than the lifetimes of other Diligence risk vectors to ensure an accurate estimate of the mean remediation time of vulnerabilities. The window of time that we use to look at this performance is directly influenced by how much data is available to us. We aim to make this window as short as possible while retaining a high correlation between the Patching Cadence risk vector grade and a company’s likelihood of experiencing a negative outcome (e.g. breach).
Recent investments in proprietary vulnerability research capabilities have enabled Bitsight to increase the rate at which we detect and include CVEs (common vulnerabilities and exposures). We increased our vulnerability coverage by around 30% in 2023. This increase in coverage means that the algorithm’s correlation to breach remains strong despite the shorter lifetime period.
How should I prepare for the changes to the algorithm?
You do not need to change how you prioritize efforts to patch vulnerabilities since the overall calculation of the Patching Cadence risk vector is not changing. Vulnerabilities with the longest duration and highest severity will continue to impact the rating the most. These should continue to be the highest priority for remediation.
During the 90-day period leading up to the algorithm update, we will provide a weekly comparison of the current and updated algorithm for ratings and Patching Cadence grading. Use this to understand how the decrease in finding lifetime may impact ratings.
For Continuous Monitoring and Insurance users, a portfolio-level view will be available to assist with preparing for the updated algorithm.
The findings that will still be within their lifetime on the day of the update may be different from those during the preview period.