- August 16, 2023: Minor edits for clarity.
- January 19, 2023: Reincorporated rating categories into this article.
- October 20, 2022: Moved rating categories to their own article.
Bitsight Security Ratings describe an entity's cybersecurity posture, serve as a measure of their risk, and transform how entities manage security risk by using a data-driven, outside-in approach to rate an entity's security effectiveness.
We provide daily security ratings through an automated service that leverages 1 year of supporting data. The sophisticated analytics and alerting capabilities provide risk managers the insight they need to proactively identify, quantify, and mitigate the risk of being exposed to a breach, unlike the manual and subjective assessments used to manage risk today.
How Security Ratings are Presented
We rate companies on a scale of 250 to 900, with 250 being the lowest measure of security performance and 900 being the highest. The upper and lower edges of this range are reserved for future use. Currently, the effective range is 300-820.
Security Ratings are the results of the aggregation of all risk vector letter grades (with different weights) that are normalized for that entity (as outlined in the risk vectors overview).
Security ratings are based on a 10-point rating system that’s rounded down in 10 point increments. If the current rating is 740, this is a representation of the combined assessments of all risk vectors. The rating may be somewhere between 740 and 749 in actuality.
The rounding method is set so that any change in the rating can be traced back to at least one risk vector. This is so the rating is more explainable in instances where 10-point changes in the security rating could not be explained by a corresponding change to any risk vector.
Example: An actual rating of 735 is represented as a 730.
We use rating categories to help indicate the overall security performance of rated entities. In aggregate, entities with higher ratings have stronger security performance and lower cyber risk than entities with lower ratings. The average rating is 720. As the rating decreases, the risk an entity poses increases.
Each entity's rating falls into one of the following categories:
|Security Rating Ranges
|740 – 900
|Strong security performance and lower risk
|50% of entities
|640 – 730
|Fair security performance and moderate risk.
|45% of entities
|250 – 630
|Poor security performance and higher risk
|5% of entities
*The approximate distribution of entities in the entire Bitsight inventory, across the rating categories.
A majority of the scoring scale is reserved for the bottom half of all entities. This is because there are more ways an entity can be considered “basic” than there are ways to be considered “advanced.” It’s more elusive, in that an entity will have to succeed in several key aspects to be considered “advanced.”
Correlation to Security Performance
Rating categories quickly communicate the overall risk posed by an entity. Each rating category corresponds to a different level of security performance and overall risk.
It is important to remember that no matter what, all entities have some risk of breach. If a threat actor is determined enough in targeting a specific entity, they will almost certainly be able to find a way to breach it.
Advanced: strong security performance and lower risk
Entities in this category have strong security performance and are less likely to experience a data breach. They are the lowest risk. These entities demonstrate evidence of best practice implementation and consistent risk mitigation.
Intermediate: fair security performance and moderate risk
Entities in this category have relatively fair security performance and demonstrate moderate security effectiveness. These entities provide a moderate level of risk and are, on average, 1.5 - 2x more likely to get breached than entities with Advanced ratings.
Basic: poor security performance and higher risk
Entities in this category have lower security ratings and an increased likelihood of data breach. These entities typically have not implemented best practice IT security policies and procedures, may demonstrate evidence of compromised systems on their network, and provide the greatest risk. Basic entities are, on average, 2 - 3x more likely to experience a publicly disclosed data breach than Intermediate entities; entities with a rating of 400 or lower are 5x more likely to experience a publicly disclosed data breach than entities with a security rating of 700 or higher.