Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

How is the Compromised Systems Risk Category Calculated?

Avatar
Ingrid
Follow
  • December 1, 2023: Linked to finding lifetime resource.
  • April 19, 2023: 2023 Ratings Algorithm Update.
  • November 30, 2021: Impact of ongoing infections.

⇤ How are Bitsight Security Ratings Calculated?

The Compromised Systems risk category accounts for 27% of a company’s Bitsight Security Rating. The total letter grades of all Compromised Systems risk vectors and event duration are factored into the entire Compromised Systems risk category, and then normalized to account for company size:

70.5% Diligence, 27% Compromised Systems, 2.5% User Behavior

Each risk vector receives an individual letter grade based on frequency, duration, and severity. The letter grade is relative to all other companies. Individual grades are calculated and refreshed daily.

Risk vectors:

Event Frequency

The volume of events that appear in given sets of time.

Since malware families communicate with different frequencies, the impact of multi-day infections are reduced so that only 1 out of 3 days is counted. The First Seen and Last Seen dates are not affected.

Unique IP addresses, malware family, number of days, and connection tracking information are taken into consideration when classifying observations as an event:

Consideration Examples

Number of Days:
Determines the duration of an event.
  • One Multi-day Event:
    Gamarue was observed in xxx.xxx.12.345 on January 1st, and then for every day until January 4th. All 4 observations are considered as 1 multi-day event.
  • Multiple Events:
    Gamarue was observed in 7 unique IPs during 7 different days, each observation is counted as an event for a total of 7 events.

Multi-day with Gaps:
For multi-day observations with gaps (skips a day or two), there’s a 3-day tolerance period that considers these multi-day observations as one multi-day event.
  • One Multi-day Event:
    Gamarue was observed in xxx.xxx.12.345 on January 1st. The same infection was observed again on the same IP on January 4th. The 3-day tolerance period considers these observations to be 1 multi-day event.
  • Multiple Events:
    Gamarue was observed in xxx.xxx.12.345 on January 1st. The same infection was observed again on the same IP address on January 5th. 4 days have passed since the earlier observation. The 3-day tolerance period no longer applies. These observations are considered to be 2 events.

Unique IP:
An event must have a unique IP address.

 Gamarue was observed 7 times in xxx.xxx.12.345 and 2 times in xxx.xxx.54.321 (different IP), the 9 observations are considered as 2 events.

Malware Family:
An event must belong to a unique malware family.

 Conficker and Rammit were observed any number of times in xxx.xxx.12.345 on January 1st, each type of malware is considered as a separate event.

Event Duration

The time between when the system was first observed to be compromised and when it was last observed. Longer lasting events have a larger impact than shorter events.

Example: If a Botnet Infection is first observed in one machine on June 1, is seen again from the same machine on June 2, and then not seen subsequently, the duration is 2 days.

Frequently Asked Questions

When do Security Ratings Improve?

Compromised Systems events are refreshed daily and are based on events that occur over the past 180 days. The letter grade of a particular risk vector will improve over time after the event’s end date, assuming no new events occur.

Learn more about finding lifetime.

How do Ongoing Infections Impact Bitsight Security Ratings?

All infections have the same raw weight/impact. An infection of a particular family on a given IP only counts against the rating once in a three-day period.

The ratings algorithm is based on relative rankings of companies. This means that the output ratings does not directly match the raw impact.

In practice, what happens is that the first few events have a higher impact because the first few events push the company to a lower rank relative to many other companies - this is because Botnet Infections are rare occurrences. As the number of Botnet Infection findings increases, the ratings impact gets smaller since there are fewer companies with that many findings.

Overview: Compromised Systems

Related articles