User Count Thresholds for Grading Desktop and Mobile Software Risk Vectors

Ingrid

When there’s insufficient data, the Desktop Software and Mobile Software risk vectors are assigned a default grade. Either:

There are no findings.
The number of observed devices falls below a minimum threshold. To avoid sudden fluctuations, the risk vector grade is reassigned from A to F when the number of observed devices has stayed above the threshold for 65 days.

Thresholds

Thresholds ensure there is a sufficient statistical sample size for any company of any size. They are determined as follows:

The number of observed devices is less than 5 (<5), or
The number of observed devices is less than 100 (<100) and less than the number of employees divided by 1,000 (<employee_count/1000).

Examples of the number of employees and their observed devices thresholds:

1,000 employees = Less than 5 observed devices
5,000 employees = Less than 5 observed devices
20,000 employees = Less than 20 observed devices
100,000 employees = Less than 100 observed devices
200,000 employees = Less than 100 observed devices

January 16, 2025: Reasoning for threshold values.
March 20, 2024: Published.

Feedback

0 comments

Please sign in to leave a comment.