Observed Devices Thresholds for Grading Desktop and Mobile Software Risk Vectors Ingrid When there’s insufficient data, the Desktop Software and Mobile Software risk vectors are assigned a default grade. Either: There are no findings. The number of observed devices falls below a minimum threshold. To avoid sudden fluctuations, the risk vector grade is reassigned from A to F when the number of observed devices has stayed above the threshold for 65 days. Thresholds Thresholds ensure there is a sufficient statistical sample size for any company of any size. They are determined as follows: The number of observed devices is less than 5 (<5), or The number of observed devices is less than 100 (<100) and less than the number of employees divided by 1,000 (<employee_count/1000). Examples of the number of employees and their observed devices thresholds: 1,000 employees = Less than 5 observed devices 5,000 employees = Less than 5 observed devices 20,000 employees = Less than 20 observed devices 100,000 employees = Less than 100 observed devices 200,000 employees = Less than 100 observed devices January 16, 2025: Reasoning for threshold values. March 20, 2024: Published. Related articles How is the Desktop Software Risk Vector Assessed? Why Do Bitsight Security Ratings Fluctuate? How is the Mobile Software Risk Vector Assessed? Vulnerability Severity: Bitsight Severity & CVSS SAML Setup Feedback 0 comments Please sign in to leave a comment.