Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Risk Vector Grading with Insufficient Data

Ingrid

This will be impacted by the 2025 Ratings Algorithm Update (RAU), which is planned to be released in July 10, 2025.

There could be insufficient data when grading risk vectors. A default risk vector grade is assigned. The threshold varies by risk vector.

Insufficient data could be due to any of the following reasons:

  • There are no findings or the findings have no impact on the score.

    Neutral findings do not impact the score. If only Neutral findings are detected, a default letter grade is assigned.

  • For Desktop Software and Mobile Software, the estimated number of users falls below a minimum threshold.
  • For Mobile Application Security, the organization has not published any mobile applications (no assets).
  • We are temporarily unable to collect data.

    ❖ For select risk vectors, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned once the latest finding’s lifetime is over.

    • Example 1 - a company’s current DKIM grade is a D, with a single finding. Once the finding’s lifetime of 60 days is over, the DKIM grade will become a C until new data changes the grade.
    • Example 2 - a company’s current DKIM grade is a B, with a single finding. Once the finding’s lifetime of 60 days is over, the latest DKIM grade of B will be held for up to 400 additional days until the grade reverts to the default C.

Default Grades by Risk Vector

SPF Domains

Default: grade-f.png

Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. If a company does not intend to send email from a domain, an attacker can still use that domain to spoof email.

Only domains that are sending email and don’t have SPF records are affected.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

DKIM Records

Default: grade-c.png

Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned.

TLS/SSL Certificates

Default: grade-c.png

This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned.

TLS/SSL Configurations

Default: grade-c.png

This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems, such as web filters and Content Delivery Networks (CDN) that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

Open Ports

Default: grade-a.png

Companies are not required to run open port services. The rating is positively impacted if there are no findings for this risk vector.

Web Application Headers

Default: grade-c.png

This is set in the center of the grading scale for computing into security ratings. Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

Patching Cadence

Default: grade-a.png

The rating is positively impacted if there are no findings for this risk vector within its lifetime.

Insecure Systems

Default: grade-a.png

The rating is positively impacted if there are no findings for this risk vector.

Server Software

Default:

The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings.

Desktop Software

Default:

This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:

  • There are no findings.
  • The estimated number of users falls below a minimum threshold. To avoid sudden fluctuations, the risk vector is reassigned an A to F grade when the estimated number of users has stayed above the threshold for 65 days.

Mobile Software

Default: grade-na.png

This default grade does not have a negative impact on the rating. It is equivalent to a perfect grade. Either:

  • There are no findings.
  • The estimated number of users falls below a minimum threshold. To avoid sudden fluctuations, the risk vector is reassigned an A to F grade when the estimated number of users has stayed above the threshold for 65 days.

DNSSEC

Default: grade-c-no-impact.png

No ratings impact. This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into Bitsight Security Ratings.

Mobile Application Security

Default: grade-na.png

This default grade is assigned if the organization has not published any mobile applications (no assets). Not all organizations have mobile application offerings.

Web Application Security

Default: grade-na.png

Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings.

DMARC

Default: grade-na.png

DMARC is a temporarily non-graded risk vector.

Domain Squatting

Default: grade-na.png

This is an informational risk vector. It does not currently affect security ratings.

File Sharing

Default: grade-a.png

The rating is positively impacted if there are no File Sharing findings.

Exposed Credentials

Default: Not applicable.

Security Incidents

Default: grade-a.png

This default grade is designed to neutralize any positive or negative impact to the risk vector. The absence of ratings-impacting Security Incidents do not positively affect security ratings, but its presence has a negative impact.

  • November 22, 2024: Default grading behavior updated.
  • April 30, 2024: Incorporated DMARC.
  • March 20, 2024: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.