- April 20, 2023: 2023 RAU weight adjustments.
- May 17, 2022: Referenced findings sampling in the “Are all findings of a given company displayed?” FAQ.
- October 20, 2021: Ratings Algorithm Update 2021.
For each rated organization, we intelligently identify and classify behaviors emanating from that organization’s network assets, including communication with Command and Control Server (C&C or C2 Server), participation in a Distributed Denial-of-Service (DDoS) attack, malware distribution, network scanning, and email attacks. The machines participating in these behaviors are generally under the control of external adversaries. While these behaviors may not equate to data loss, each is evidence of a compromise. Evidence from sensors deployed across the globe is collected daily. Each individual security event is analyzed for confidence, severity, and duration, and then mapped to a specific organization.
In addition, we gather externally observable configuration information on rated organizations.
Example: We may include analysis of Sender Policy Framework (SPF) records, Secure Sockets Layer (SSL) implementation, and DomainKeys Identified Mail (DKIM) signatures. Failure to use best practices increases risk and therefore negatively impacts a company’s security rating.
We do not engage in any hacking or any intrusive network penetration testing. Our collected data is externally observed from various sources in the public internet. It is available to anyone who chooses to collect it and has the technological capabilities to do so.
Learn about Bitsight Security Ratings.
Algorithm
Bitsight Security Ratings are calculated daily using a proprietary algorithm that examines two classes of externally observable data – configuration and security events. Security effectiveness is assessed across the following risk categories:
The ratings algorithm accounts for the following elements:
- Number and Type(s) of Compromised Systems: Data is classified into risk vector types and factored into an organization‘s security rating accordingly.
- Event Duration: Calculates the time between when the compromised system was first observed and when it was last seen.
- Diligence Configurations: Shows steps an organization has taken to prevent attacks. Similar to Compromised Systems, data is classified into risk vector types and factored into an organization‘s security rating accordingly.
Security ratings are the results of the aggregation of all risk vector letter grades (with different weights) that are normalized for that company (as outlined in the risk vectors overview).
Learn more about the rationale for rating thresholds and why security ratings may be fluctuating.
Risk Category Weights
Risk categories are weighted as follows:
- Compromised Systems = 27%
- Diligence = 70.5%
- User Behavior = 2.5%
- Public Disclosures = Weighted only if they occur.
Letter Grades
Letter grades provide a quick way to understand how a company is performing in each risk type and also provides a meaningful way to compare risk type performance of one company to another.
Letter grades are directly correlated to how well a company is performing, relative to all companies in the Bitsight inventory. Below is a table that outlines how each grade correlates to their performance, relative to their company size.
Individual Company Reports provide greater precision than letter grades.
| Grade | Percentile |
|---|---|
| A | In the top 10% of companies. |
| B | In the top 30% of companies. |
| C | In the top 60% of companies. |
| D | In the bottom 40% of companies. |
| F | In the bottom 20% of companies. |
| N/A |
This grade has no correlation with how a company is performing. If a letter grade is “N/A” (Not Available), it may be because:
|
Finding Grades
Diligence findings are graded as GOOD, FAIR, WARN, BAD, or NEUTRAL based on inherent risk and if best practices can be improved upon. These finding grades contribute towards the letter grade of the risk vector.
| Finding Grade | Description |
|---|---|
| GOOD | Low risk, aligned with best practices. These have a significantly positive impact on the letter grade. |
| FAIR | Light risk and some opportunity to achieve best practices. These have a minor negative impact or no impact on the letter grade depending on the risk vector. |
| WARN | Moderate risk and departure from best practices. These have a moderately negative impact on the letter grade. |
| BAD | Significant risk and departure from best practices. These have a significantly negative impact on the letter grade. |
| NEUTRAL | Observed data with neither positive nor negative risk. This does not positively or negatively impact the letter grade. |
| N/A | Finding grades are not applicable (N/A) to Compromised Systems and User Behavior. |
Normalization
Large companies will typically have more findings than smaller companies. To ensure ratings are calculated in a way that doesn't unfairly penalize large companies, we normalize ratings based on the size of an organization. We compare organizations using employee count to account for size.
Frequently Asked Questions
Are all findings of a given company displayed?
Findings throughout the past 1 year are shown in the Bitsight platform. Though companies with a large amount of findings can have sampled findings, all findings are used to calculate a company’s security rating. A complete list can be obtained through the Bitsight API.
What do sharp changes in a rating mean?
Sudden drops in rating can occur due to publicly disclosed Security Incidents, an increase in Compromised Systems events, or poorly configured Diligence findings. Improvements in ratings are due to either many simultaneously resolved events or updates to Diligence findings. Any decreases of 10 points or greater are highlighted in a company‘s Overview page, next to its 1-year historical trend graph.
When is a security rating impacted?
The rating is updated daily using the previous day’s data.
It can take 24-48 hours for new findings to impact ratings after they are observed. This is the time it takes to collect the data and present it in the Bitsight platform. Findings are time stamped from when the data is available. This is typically the same day as when the finding was observed, but it might be recorded the next day.
Example: A finding is observed at 11:59 pm on March 1st. It may not be collected and recorded until 12:10 am on March 2nd. That finding will impact the rating on March 2nd and later.
The finding continues to impact the rating over a decay period, which varies by risk type. Refer to the lifetime, duration, and decay of the following findings:
- The duration of Compromised System events
- The impact & lifetime of Diligence findings
- The lifetime of File Sharing events
- The severity & decay of Security Incident events