How is the Compromised Systems Risk Category Calculated? Ingrid ⇤ How are Bitsight Security Ratings Calculated?The Compromised Systems risk category accounts for 27% of a company’s Bitsight Security Rating. The total letter grades of all Compromised Systems risk vectors and event duration are factored into the entire Compromised Systems risk category, and then normalized to account for company size:Each risk vector receives an individual letter grade based on frequency, duration, and severity. The letter grade is relative to all other companies. Individual grades are calculated and rescanned daily.FrequencyThe volume of events that appear in given sets of time.Unique IP addresses, malware family, number of days, and connection tracking information are taken into consideration when classifying observations as an event: Consideration Examples Number of Days:Determines the duration of an event. One Multi-day Event:Gamarue was observed in xxx.xxx.12.345 on January 1st and on consecutive days until January 3rd. All observations during those 3 days are considered as 1 multi-day event. Multiple Events:Gamarue was observed in 7 unique IPs during 7 different days. Each observation is counted as an event for a total of 7 events. Multi-day with Gaps:For multi-day observations with gaps (skips a day or two), there’s a 3-day tolerance period that considers these multi-day observations as one multi-day event. One Multi-day Event:Gamarue was observed in xxx.xxx.12.345 on January 1st. The same infection was observed again on the same IP on January 3rd. The 3-day tolerance period between the date gap considers these observations to be 1 multi-day event. Multiple Events:Gamarue was observed in xxx.xxx.12.345 on January 1st. The same infection was observed again on the same IP address on January 4th. There’s a 4-day gap, so the 3-day tolerance period no longer applies. These observations are considered to be 2 events. Unique IP:An event must have a unique IP address. Gamarue was observed 7 times in xxx.xxx.12.345 and 2 times in xxx.xxx.54.321 (different IP), the 9 observations are considered as 2 events. Malware Family:An event must belong to a unique malware family. Conficker and Ramnit were observed any number of times in xxx.xxx.12.345 on January 1st, each type of malware is considered as a separate event – 2 events. DurationThe time between when the system was first observed to be compromised and when it was last observed. Longer lasting events have a larger impact than shorter events.Example: If a Botnet Infection is first observed in one machine on June 1, is seen again from the same machine on June 2, and then not seen subsequently, the duration is 2 days.Frequently Asked QuestionsWhen do Security Ratings Improve?Compromised Systems events are rescanned daily and are based on events that occur over the past 180 days. The letter grade of a particular risk vector will improve over time after the event’s end date, assuming no new events occur.How do Ongoing Infections Impact Bitsight Security Ratings?All infections have the same raw weight/impact. An infection of a particular family on a given IP only counts against the rating once in a three-day period.The ratings algorithm is based on relative rankings of companies. This means that the output ratings do not directly match the raw impact.In practice, what happens is that the first few events have a higher impact because the first few events push the company to a lower rank relative to many other companies - this is because Botnet Infections are rare occurrences. As the number of Botnet Infection findings increases, the ratings impact gets smaller since there are fewer companies with that many findings. December 19, 2025: Language clarification. August 30, 2024: Clarified multi-day event definition and updated examples. December 1, 2023: Linked to finding lifetime resource. April 19, 2023: 2023 Ratings Algorithm Update. Related articles How are Bitsight Security Ratings Calculated? Botnet Infections Risk Vector How is the Diligence Risk Category Calculated? Compromised Systems Risk Category Potentially Exploited Risk Vector Feedback 6 comments Sort by Date Votes Chris Johnson June 20, 2019 12:39 An example in the duration section would be helpful. Thanks! 3 Ingrid July 01, 2019 15:07 Hello Chris. We've provided an example for how duration is determined. 1 Chris Johnson July 01, 2019 16:37 Hi Ingrid. Thanks for adding an example of duration. An example under the "following factors" section would also be helpful. For example, if a botnet infection is observed on June 1 and the overall score decreases 10 points, 25% of that (2.5 points) would be recovered after 30 days, another 25% would be recovered after 90 days, and the remaining 50% would be recovered after 400 days. -3 Thomas Huang May 04, 2020 04:27 Hi Chris. Does it mean even the issue has been fixed, the result will not reflect to the score immediately? -2 Lisa Johnson May 29, 2020 19:09 So if a one-day event occurs 1/1/2020, and a 20 point drop results. What will the score be in 6 months? And it will take 400 days to recap all of the 20 points lost? In 30 days 5 points (25% of 20) is recovered. After 90 days, 10 points are recovered? And how does that show if published score drops/increases are in 10-point increments? (is there rounding?) And lastly, is the points recovery *always* noted in the Security Ratings highlights? -1 Megha Hallera June 28, 2021 10:08 Hi Ingrid, Now the decay period for Compromised system is 180 days, how the linear increase will happen. Explanation with an example would be great. -1 Please sign in to leave a comment.