- October 22, 2021: Updated default if employee count is unknown, “1000” changed to “100.”
- November 16, 2020: Added Security Incidents.
Large organizations typically have more domains, more machines, and a greater network presence than smaller companies. As a result, they generally have more Compromised Systems and Diligence findings.
To ensure ratings are fairly calculated for large companies, Bitsight Security Ratings are normalized based on the size of an organization. Employee count indicates the size of a company.
A weight (severity) is assigned to each risk vector, as outlined in the risk categories and risk vectors overview. Risk vectors are assigned a letter grade, and then normalized. These methods ensure the security rating of a large company is comparable to that of a small company or vice versa.
Normalization by Risk Type
All Compromised Systems risk vectors, File Sharing, and Insecure Systems
Based on company size (employee count), the finding count is factored into the letter grade of the risk vector and then normalized by company size:
- 0 - 500 Employees
- 501 - 5,000 Employees
- 5,001 - 20,000 Employees
- 20,001 - 100,000 Employees
- 100,001 - 10,000,000 Employees
If the employee count for an organization is unknown, the employee count defaults to 100.
Diligence
Excluding Insecure Systems and Server Software risk vectors.
Normalization is based on the number of observations that currently impact the risk vector grade.
Server Software
Normalization is based on the number of unique IP addresses derived from the open ports of the company.
Security Incidents
The size of an organization (measured by the number of employees) factors into the impact calculation on a logarithmic basis. Employee count is capped at 100 employees at the lower end and 100,000 at the upper end to account for sparsity of data.
Example employee counts and the resulting impact for each incident severity level:
| Employee Counts | Minor | Moderate | Severe |
|---|---|---|---|
| 10 | 50 | 100 | 150 |
| 100 | 50 | 100 | 150 |
| 1K | 40 | 80 | 120 |
| 10K | 30 | 60 | 90 |
| 100K | 20 | 40 | 60 |
| 1M | 20 | 40 | 60 |
Adjusted Peer Analytics Data Counts
For the Risk Vector Details data in Peer Analytics, the displayed finding counts are adjusted to match the size of your organization. This adjustment results in more meaningful comparisons and ensures the displayed reference values are useful for guidance in defining your security performance goals.
- Compromised Systems: We adjust for company size (employee count).
- Diligence: We adjust for either the IP count for the Server Software risk vector or record count for all other Diligence risk vectors.
- File Sharing: We adjust for company size (employee count).
Example:
If your company has 10 findings in total with 2 BAD findings, a peer with 100 findings in total with 20 BAD findings is similar. The peer's BAD finding count is adjusted to “2,” i.e. there are 2 BAD findings per 10 total findings.