⇤ How are Bitsight Security Ratings Calculated?
The Compromised Systems risk category accounts for 27% of a company’s Bitsight Security Rating. The total letter grades of all Compromised Systems risk vectors and event duration are factored into the entire Compromised Systems risk category, and then normalized to account for company size:
Each risk vector receives an individual letter grade based on frequency, duration, and severity. The letter grade is relative to all other companies. Individual grades are calculated and refreshed daily.
Risk vectors:
Event Count Considerations
The number of events is determined by the uniqueness of the infection, which is determined by the following details:
Consideration | Examples |
---|---|
Event Duration: |
|
Multi-day with Gaps:
|
|
Unique IP: |
Gamarue was observed 7 times in xxx.xxx.12.345 and 2 times in xxx.xxx.54.321 (different IP), the 9 observations are considered as 2 events. |
Malware Family: |
Conficker and Rammit were observed any number of times in xxx.xxx.12.345 on January 1st, each type of malware is considered as a separate event – 2 events. |
Event Duration
The time between when the system was first observed to be compromised and when it was last observed. Longer lasting events have a larger impact than shorter events.
Example: If a Botnet Infection is first observed in one machine on June 1, is seen again from the same machine on June 2, and then not seen subsequently, the duration is 2 days.
Frequently Asked Questions
When do Security Ratings Improve?
Compromised Systems events are refreshed daily and are based on events that occur over the past 180 days. The letter grade of a particular risk vector will improve over time after the event’s end date, assuming no new events occur.
Learn more about finding lifetime.
How do Ongoing Infections Impact Bitsight Security Ratings?
All infections have the same raw weight/impact. An infection of a particular family on a given IP only counts against the rating once in a three-day period.
The ratings algorithm is based on relative rankings of companies. This means that the output ratings do not directly match the raw impact.
In practice, what happens is that the first few events have a higher impact because the first few events push the company to a lower rank relative to many other companies - this is because Botnet Infections are rare occurrences. As the number of Botnet Infection findings increases, the ratings impact gets smaller since there are fewer companies with that many findings.
- August 30, 2024: Clarified multi-day event definition and updated examples.
- December 1, 2023: Linked to finding lifetime resource.
- April 19, 2023: 2023 Ratings Algorithm Update.
Feedback
6 comments
An example in the duration section would be helpful. Thanks!
Hello Chris. We've provided an example for how duration is determined.
Hi Ingrid. Thanks for adding an example of duration. An example under the "following factors" section would also be helpful. For example, if a botnet infection is observed on June 1 and the overall score decreases 10 points, 25% of that (2.5 points) would be recovered after 30 days, another 25% would be recovered after 90 days, and the remaining 50% would be recovered after 400 days.
Hi Chris.
Does it mean even the issue has been fixed, the result will not reflect to the score immediately?
So if a one-day event occurs 1/1/2020, and a 20 point drop results. What will the score be in 6 months? And it will take 400 days to recap all of the 20 points lost? In 30 days 5 points (25% of 20) is recovered. After 90 days, 10 points are recovered? And how does that show if published score drops/increases are in 10-point increments? (is there rounding?) And lastly, is the points recovery *always* noted in the Security Ratings highlights?
Hi Ingrid,
Now the decay period for Compromised system is 180 days, how the linear increase will happen.
Explanation with an example would be great.
Please sign in to leave a comment.